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FIG. 17 



Transaction received by financial 
messaging unit. Confirmation 
(authentication, etc.) required for 
release of funds or credit. 



1 



Present user with 
"CONFIRMATION REQUIRED" 
message. 



1702 



1704 



Select confirmation means 
from one of a telcom link 
(dial-up PSTN), or a local link 
(via a point of sale terminal, 
ATM, or the like) comprising 
either optical, magnetic 
electric, or acoustic 
device. 



7706 



If Telcom, dial either 
predetermined response 
number or number received 
in conjunction with the 
secure financial message 



1708 



Contact issuer host, identify 
messaging unit, identify 
transaction by serial 
number, etc, generate and 
send required confirmation 
message 



7770 



Receive transaction 
authorization from issuer 

host, and execute 
transaction, accordingly. 



7772 
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TRANSACTION AUTHENTICATION FOR financial transactions over existing paging infrastructure 

1-WAY WIRELESS FINANCIAL MESSAGING equipment, using paging protocols such as FLEX®, a reg- 

UNITS istered United States trademark of Motorola, Inc., POCSAG 

(Post Office Code Standardisation Advisory Group), or the 

FIELD OF THE INVENTION S like. 

, ... „ . , A first aspect of the invention involves realizing hardware 

This invention relates in general to selective call signal- ^ . „ method for over , ayin g secUK messaging 

ling systems and more particularly to a selective call sig- oQ an ejdstm ^ infrastructure. The existing paging 

nailing system that facilitates secure financial transactions inhMtUK %* ^ s a ing termina , that inchldes a 

over a wireless network and an alternate transaction ongi- M encoder for ^ received messages and their 

nation and authentication procedure. corresponding destination requests. The paging terminal 

BACKGROUND OF THE INVENTION g enerates a messaging queue °f sekcdve call messages 

comprising the received messages and their corresponding 

In conventional selective call signaling systems, a user or selective call addresses), as determined from the corre- 

originator may send a message to a subscriber unit (e.g., is sponding destination requests. Distribution of the selective 

selective call receiver), the message comprising an address call messages in the messaging queue is handled by the 

associated with the subscriber unit, and data. The data may paging terminal which dispatches messages to at least one 

be in one or more forms such as numeric digits representing base station (e.g., transmitter, antenna, and receiver) for 

a phone number, alphanumeric characters representing a communication between the base station and the subscriber 

readable text message, or possibly a multimedia message 20 unit(s) or pagers. 

comprising audio and graphical information. Topically, this A second aspect of the invention involves the inclusion of 

form of messaging was sufficient to convey information a cryptographic engine in the paging terminal for selectively 

between individuals or services relating to their business, ciphering, deciphering, signing, and verifying the authen- 

special interests, whereabouts, general scheduling, or time ticity of messages received from both an originator and from 

critical appointments. However, because of society's 25 mc subscriber unit or pager. 

increased need for information when a person is mobile, a A third aspect of the invention involves the subscriber unit 

solution must be found that allows an individual to perform or p ager mat ^ equipped with a special security module that 

personal or business transactions, as well as keeping can p rocess cryptographic information contained in the 

informed of personal events, contacts, and business infer- selective call messages to verify their authenticity extract the 

mation, 30 ciphered data, and return ciphered responses or acknowl- 

Considering conventional wireless systems including edgments as necessary, to authenticate and confirm recep- 

both cellular and paging applications, there are significant tion of the secure message. 

problems that must be solved before reliable and private ^ f ourm aS p CC t of the invention involves the subscriber 
personal or business transactions can be implemented. umt or p a g e r being equipped with a primary and possibly a 
Because of the advancement of the engineering sciences, 35 SCC ondary apparatus for communicating both inbound and 
particularly in the areas of wireless communications and outbound messages. The primary apparatus comprises a 
computer science, it has become relatively easy for a conventional radio frequency receiver and optionally a con- 
"hacker" to monitor both the address and data broadcast to ventional radio frequency transmitter. The secondary appa- 
the selective call receiver. This unwanted monitoring or ratus comprises an optical receiver and optionally an optical 
eavesdropping poses a problem to potential users of wireless transmitter. Alternatively, the secondary apparatus may fur- 
communication systems in that their personal data may be mer comprise one or more acoustic or other electromagnetic 
exposed to unauthorized individuals, thus creating an unnec- transducers and associated circuitry implementing a uni- or 
essary risk for both parties if confidential information is bi-directional communication link between the subscriber 
broadcast. Moreover, if the information contains clear-text umt or pa ger and the originator. 

data representing a personal address, serial number Personal 45 A fifth agpect of the invention involves the subscriber unit 

Identification Number (PIN) or the like, an unscrupulous or p ager including a single, predetermined account identifier 

party monitoring the data stream could gain access to an corresponding with at least one of an electronic cash or 

individual's personal accounts or pirate the address to clone fundg gtorage card> debit card> Cfedit ^ of 5ank accounL 

an unauthorized communication device. The theft of service invention involves the subscriber 

or confidential information m this manner is probably the ^ £ ^ e determined account 

most daunting issue facing communication equipment ^ s ^ ^ ^ ^ of ^ mowi 

manufacturers and service providers today and ir ^ dectronic cash storage card, debit card, credit card, 

The interest in securing data contained m broadcasts is ^ aC count 

especially keen in the area of electronic financial transac- 4 . r , rt ,„„ tUo 

lions. To expose for capture, the clear text data contained in 55 A seventh aspect of the invention involves the c^pto- 

a financial transaction invites, and will surely result, in a " th ? P a 8 m f temlnal *^ 

theft of funds or fraud against an individual. in ' he unit ° r pager accommodating a 

, . . . . . plurality of cryptographic procedures. These cryptographic 

mis, what is needed is wireless messaging system that rocemires comprise both private and public key systems, as 

allows an originator to communicate a secure message 6Q a ia te. One such private key system is the Data 

between a subscriber unit and the originator, and authenti- Encryption standard (DES) using the ANSI X3.92 DES 

cate the secure message, without exposing the content or ^ oriihm m CBC mode< similarly, a first public key system 

meaning of the message. fe RSA ( mV ented by Rivest, Shamir, and Adleman), a 

SUMMARY OF THE INVENTION cryptographic procedure based on sub-exponential one-way 

auMMAKi ur mti iiNVfciNiiurN 65 ft^fcjjs implemented using modulo n integer multiplica- 

Briefly, according to the invention, there is provided a tion and exponentation. A second public key system uses 

method and apparatus for sending data comprising secure elliptic curve technology, a cryptographic procedure based 
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on highly non-linear exponential one-way functions imple- 
mented over finite fields. 

An eight aspect of the invention involves initiating a 
wireless transaction from the subscriber unit or pager, the 
wireless transaction relating to at least one of the electronic 5 
cash or funds storage card, debit card, credit card, or bank 
account. 

A ninth aspect of the invention involves a user selected 
personal identification number that is programmed into the 
subscriber unit or pager for protecting financial accounts or 10 
funds loaded in the subscriber unit or pager. 

A tenth aspect of the invention involves a user selected 
personal identification number that is programmed into the 
Smart Card via the subscriber unit or pager, thus disabling 15 
access to any features of the protected Smart Card unless 
subsequently accessed or reprogrammed by the subscriber 
unit or pager. 

An eleventh aspect of the invention involves authenticat- 
ing the an authorized subscriber unit or pager as a commu- 2 o 
nication agent for the wireless financial transaction, and 
selectively disallowing any financial transactions directed to 
accounts belonging to or controlled by the authorized sub- 
scriber unit or pager when an inbound or outbound financial 
transaction is communicated between an issuer and an 2 5 
unauthorized subscriber unit or pager, and in the alternative, 
preventing fund transfers or credit transactions that exceed 
a predetermined limit set either by an authorized user or a 
regulator such as a bank, a credit card issuer or the like. 

30 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is an electrical block diagram of a data transmis- 
sion system for use in accordance with the preferred 
embodiment of the present invention. 

FIG. 2 is an electrical block diagram of a terminal for 
processing and transmitting message information in accor- 
dance with the preferred embodiment of the present inven- 
tion. 

FIGS. 3-5 are timing diagrams illustrating the transmis- 4Q 
sion format of the signaling protocol utilized in accordance 
with the preferred embodiment of the present invention. 

FIGS. 6 and 7 are timing diagrams illustrating the syn- 
chronization signals utilized in accordance with the pre- 
ferred embodiment of the present invention, 45 

FIG. 8 is an electrical block diagram of a financial 
messaging unit in accordance with the preferred embodi- 
ment of the present invention. 

FIG. 9 is a diagram of a secure messaging system in 
accordance with the present invention. 50 

FIG. 10 is a high level block diagram of a financial 
messaging unit in accordance with the preferred embodi- 
ment of the present invention. 

FIG. 11 is a block diagram of the message composition 55 
and encryption equipment that could be used on the pre- 
mises of a financial institution to send secure electronic 
funds transfer authorizations to financial messaging units via 
a paging channel. 

FIG. 12 is a functional diagram of a wireless selective call 6 q 
signaling system controller that implements a combined 
1-way and 2- way secure messaging system capable of 
signalling the financial messaging units. 

FIG. 13 depicts the various layers of a messaging system 
in a format that is similar to the Organization Standards 65 
International (OSI) stack diagram that is well known in the 
electronics industry. 



4 

FIG. 14 is a flow diagram depicting typical operation of 
a financial messaging unit in accordance with the preferred 
embodiment of the present invention. 

FIG. 15 illustrates a typical sequence associated with 
requesting and authorizing the electronic transfer of funds or 
debit of funds by and from a wireless financial messaging 
unit. 

FIG. 16 illustrates a typical sequence associated with the 
wireless transfer of funds or debit of funds by and from a 
wireless financial messaging unit in both a 1-way and a 
2-way secure communication system. 

FIG. 17 is a flow diagram depicting a typical sequence 
associated with either authentication or confirmation of a 
wireless transfer of funds, debit of funds, or credit transac- 
tion between a wireless financial messaging unit and a 
regulator in either a 1-way or a 2-way secure communication 
system. 

DESCRIPTION OF A PREFERRED 
EMBODIMENT 

Referring to FIG. 1, an electrical block diagram illustrates 
a data transmission system 100, such as a paging system, for 
use in accordance with the preferred embodiment of the 
present invention. In the data transmission system 100, 
messages originating either from a phone, as in a system 
providing numeric data transmission, or from a message 
entry device, such as an alphanumeric data terminal, are 
routed through the public switched telephone network 
(PSTN) to a paging terminal 102 which processes the 
numeric or alphanumeric message information for transmis- 
sion by one or more transmitters 104 provided within the 
system. When multiple transmitters are utilized, the trans- 
mitters 104 preferably simulcast transmit the message infor- 
mation to financial messaging units 106. Processing of the 
numeric and alphanumeric information by the paging ter- 
minal 102, and the protocol utilized for the transmission of 
the messages is described below. 

Referring to FIG. 2, an electrical block diagram illustrates 
the paging terminal 102 utilized for processing and control- 
ling the transmission of the message information in accor- 
dance with the preferred embodiment of the present inven- 
tion. Short messages, such as tone -only and numeric 
messages which can be readily entered using a Touch- 
Tone™ telephone are coupled to the paging terminal 102 
through a telephone interface 202 in a manner well known 
in the art. Longer messages, such as alphanumeric messages 
which require the use of a data entry device are coupled to 
the paging terminal 102 through a modem 206 using any of 
a number of well known modem transmission protocols. 
When a call to place a message is received, a controller 204 
handles the processing of the message. The controller 204 is 
preferably a microcomputer, such as a MC680x0 or 
equivalent, which is manufactured by Motorola Inc., and 
which runs various pre-programmed routines for controlling 
such terminal operations as voice prompts to direct the caller 
to enter the message, or the handshaking protocol to enable 
reception of messages from a data entry device. When a call 
is received, the controller 204 references information stored 
in the subscriber database 208 to determine how the message 
being received is to be processed. The subscriber data base 
208 includes, but is not limited to such information as 
addresses assigned to the financial messaging unit, message 
type associated with the address, and information related to 
the status of the financial messaging unit, such as active or 
inactive for failure to pay the bill. A data entry terminal 240 
is provided which couples to the controller 204, and which 
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is used for such purposes as entry, updating and deleting of 
information stored in the subscriber data base 208, for 
monitoring system performance, and for obtaining such 
information as billing information. 

The subscriber database 208 also includes such informa- 
tion as to what transmission frame and to what transmission 
phase the financial messaging unit is assigned, as will be 
described in further detail below. The received message is 
stored in an active page file 210 which stores the messages 
in queues according to the transmission phase assigned to 
the financial messaging unit. In the preferred embodiment of 
the present invention, four phase queues are provided in the 
active page file 210. The active page file 210 is preferably a 
dual port, first in first out random access memory, although 
it will be appreciated that other random access memory 
devices, such as hard disk drives, can be utilized as well. 
Periodically the message information stored in each of the 
phase queues is recovered from the active page file 210 
under control of controller 204 using timing information 
such as provided by a real time clock 214, or other suitable 
timing source. The recovered message information from 
each phase queue is sorted by frame number and is then 
organized by address, message information, and any other 
information required for transmission (all of which is 
referred to as message related information), and then 
batched into frames based upon message size by frame 
batching controller 212. The batched frame information for 
each phase queue is coupled to frame message buffers 216 
which temporarily store the batched frame information until 
a time for further processing and transmission. Frames are 
batched in numeric sequence, so that while a current frame 
is being transmitted, the next frame to be transmitted is in the 
frame message buffer 216, and the next frame thereafter is 
being retrieved and batched. At the appropriate time, the 
batched frame information stored in the frame message 
buffer 216 is transferred to the frame encoder 218, again 
maintaining the phase queue relationship. The frame 
encoder 218 encodes the address and message information 
into address and message codewords required for 
transmission, as will be described below. The encoded 
address and message codewords are ordered into blocks and 
then coupled to a block interleaver 220 which interleaves 
preferably eight codewords at a time to form interleaved 
information blocks for transmission in a manner well known 
in the art. The interleaved codewords contained in the 
interleaved information blocks produced by each block 
interleaver 220 are then serially transferred to a phase 
multiplexer 221, which multiplexes the message information 
on a bit by bit basis into a serial data stream by transmission 
phase. The controller 204 next enables a frame sync gen- 
erator 222 which generates the synchronization code which 
is transmitted at the start of each frame transmission. The 
synchronization code is multiplexed with address and mes- 
sage information under the control of controller 204 by 
serial data splicer 224, and generates therefrom a message 
stream which is properly formatted for transmission. The 
message stream is next coupled to a transmitter controller 
226, which under the control of controller 204 transmits the 
message stream over a distribution channel 228. The distri- 
bution channel 228 may be any of a number of well known 
distribution channel types, such as wire line, an RF or 
microwave distribution channel, or a satellite distribution 
link. The distributed message stream is transferred to one or 
more transmitter stations 104, depending upon the size of the 
communication system. The message stream is first trans- 
ferred into a dual port buffer 230 which temporarily stores 
the message stream prior to transmission. At an appropriate 
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time determined by timing and control circuit 232, the 
message stream is recovered from the dual port buffer 230 
and coupled to the input of preferably a 4-level FSK 
modulator 234. The modulated message stream is then 
coupled to the transmitter 236 for transmission via antenna 
238. 

Referring to FIGS. 3, 4 and 5, the timing diagrams 
illustrate the transmission format of the signaling protocol 
utilized in accordance with the preferred embodiment of the 
present invention. This signalling protocol is commonly 
referred to as Motorola's FLEX selective call signalling 
protocol. As shown in FIG. 3, the signaling protocol enables 
message transmission to financial messaging units, such as 
pagers, assigned to one or more of 128 frames which are 
labeled frame 0 through frame 127. It then will be appreci- 
ated that the actual number of frames provided within the 
signaling protocol can be greater or less than described 
above. The greater the number of frames utilized, the greater 
the battery life that may be provided to the financial mes- 
saging units operating within the system. The fewer the 
number of frames utilized, the more often messages can be 
queued and delivered to the financial messaging units 
assigned to any particular frame thereby reducing the 
latency, or time required to deliver messages. 

As shown in FIG. 4, the frames comprise a synchroniza- 
tion codeword (sync) followed preferably by eleven blocks 
of message information (information blocks) which are 
labeled block 0 through block 10. As shown in FIG. 5., each 
block of message information comprises preferably eight 
address, control or data codewords which are labeled word 
0 through word 7 for each phase. Consequently, each phase 
in a frame allows the transmission of up to eighty-eight 
address, control and data codewords. The address, control 
and data codewords preferably comprise two sets, a set first 
relating to a vector field comprising a short address vector, 
a long address vector, a first message word, and a null word, 
and a second set relating to a message field comprising a 
message word and a null word. 

The address, control, and data or message codewords are 
preferably 31,21 BCH codewords with an added thirty- 
second even parity bit which provides an extra bit of 
distance to the codeword set. It will be appreciated that other 
codewords, such as a 23,12 Golay codeword could be 
utilized as well. Unlike the well known POCSAG signaling 
protocol which provides address and data codewords which 
utilize the first codeword bit to define the codeword type, as 
either address or data, no such distinction is provided for the 
address and data codewords in the FLEX signaling protocol 
utilized with the preferred embodiment of the present inven- 
tion. Rather, address and data codewords are defined by their 
position within the individual frames. 

FIGS. 6 and 7 are timing diagrams illustrating the syn- 
chronization code utilized in accordance with the preferred 
embodiment of the present invention. In particular, as shown 
in FIG. 6, the synchronization code comprises preferably 
three parts, a first synchronization code (sync 1), a frame 
information codeword (frame info) and a second synchro- 
nization codeword (sync 2). As shown in FIG. 7, the first 
synchronization codeword comprises first and third portions, 
labeled bit sync 1 and BS1, which are alternating 1,0 bit 
patterns which provides bit synchronization, and second and 
fourth portions, labeled "A" and its complement "A bar", 
which provide frame synchronization. The second and 
fourth portions are preferably single 32,21 BCH codewords 
which are predefined to provide high codeword correlation 
reliability, and which are also used to indicate the data bit 
rate at which addresses and messages are transmitted. Table 
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1 defines the data bit rates which are used in conjunction 
with the signaling protocol. 

TABLE 1 



Bit Rate 


"A" Value 


1600 bps 


Al and Al bar 


3200 bps 


A2 and A2 bar 


6400 bps 


A3 and A3 bai 


Not defined 


A4 and A4 bar 



As shown in Table 1, three data bit rates are predefined for 
address and message transmission, although it will be appre- 
ciated that more or less data bit rates can be predefined as 
well, depending upon the system requirements. 

The frame information codeword is preferably a single 
32,21 BCH codeword which includes within the data portion 
a predetermined number of bits reserved to identify the 
frame number, such as 7 bits encoded to define frame 
number 0 to frame number 127, 

The structure of the second synchronization code is 
preferably similar to that of the first synchronization code 
described above. However, unlike the first synchronization 
code which is preferably transmitted at a fixed data symbol 
rate, such as 1600 bps (bits per second), the second syn- 
chronization code is transmitted at the data symbol rate at 
which the address and messages are to be transmitted in any 
given frame. Consequently, the second synchronization code 
allows the financial messaging unit to obtain "fine" bit and 
frame synchronization at the frame transmission data bit 
rate. 

In summary the signaling protocol utilized with the pre- 
ferred embodiment of the present invention comprises 128 
frames which include a predetermined synchronization code 
followed by eleven information blocks which comprise eight 
address, control or message codewords per phase. The 
synchronization code enables identification of the data trans- 
mission rate, and insures synchronization by the financial 
messaging unit with the data codewords transmitted at the 
various transmission rates. 

FIG. 8 is an electrical block diagram of the financial 
messaging unit 106 in accordance with the preferred 
embodiment of the present invention. The heart of the 
financial messaging unit 106 is a controller 816, which is 
preferably implemented using a low power MC68HC0x 
microcomputer, such as manufactured by Motorola, Inc., or 
the like. The microcomputer controller, hereinafter call the 
controller 816, receives and processes inputs from a number 
of peripheral circuits, as shown in FIG. 8, and controls the 
operation and interaction of the peripheral circuits using 
software subroutines. The use of a microcomputer controller 
for processing and control functions (e.g., as a function 
controller) is well known to one of ordinary skill in the art. 

The financial messaging unit 106 is capable of receiving 
address, control and message information, hereafter called 
"data" which is modulated using preferably 2-level and 
4-level frequency modulation techniques. The transmitted 
data is intercepted by an antenna 802 which couples to the 
input of a receiver section 804. Receiver section 804 pro- 
cesses the received data in a manner well known in the art, 
providing at the output an analog 4-level recovered data 
signal, hereafter called a recovered data signal. The recov- 
ered data signal is coupled to one input of a threshold level 
extraction circuit 808, and to an input of a 4-level decoder 
810. 

Operation of the threshold level extraction circuit 808, 
4-level decoder 810, symbol synchronizer 812, 4-level to 
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binary converter 814, synchronization codeword correlator 
818, and phase timing generator (data recovery timing 
circuit) 826 depicted in the financial messaging unit of FIG. 
8 is best understood with reference to U.S. Pat. No. 5,282, 
205 entitled "Data Communication Terminal Providing Vari- 
able Length Message Carry-On And Method Therefor/' 
issued to Kuznicki et al, assigned to Motorola, Inc., the 
teachings of which are incorporated herein by reference 
thereto. 

Again referring to FIG. 8, the threshold level extraction 
circuit 808 comprises two clocked level detector circuits 
(not shown) which have as inputs the recovered data signal. 
Preferably, signal states of 17%, 50% and 83%, are utilized 
to enable decoding the 4-level data signals presented to the 
threshold level extraction circuit 808. 

When power is initially applied to the receiver portion, as 
when the financial messaging unit is first turned on, a clock 
rate selector is preset through a control input (center sample) 
to select a 128x clock, i.e. a clock having a frequency 
equivalent to 128 times the slowest data bit rate, which as 
described above is 1600 bps. The 128x clock is generated by 
128x clock generator 844, as shown in FIG. 8, which is 
preferably a crystal controlled oscillator operating at 204.8 
KHz (kilohertz). The output of the 128x clock generator 844 
couples to an input of frequency divider 846 which divides 
the output frequency by two to generate a 64x clock at 102.4 
KHz. The 128x clock allows the level detectors to asyn- 
chronously detect in a very short period of time the peak and 
valley signal amplitude values, and to therefore generate the 
low (Lo), average (Avg) and high (Hi) threshold output 
signal values required for modulation decoding. After sym- 
bol synchronization is achieved with the synchronization 
signal, as will be described below, the controller 816 gen- 
erates a second control signal (center sample) to enable 
selection of a lx symbol clock which is generated by symbol 
synchronizer 812 as shown in FIG. 8. 

The 4-level decoder 810 preferably operates using three 
voltage comparators and a symbol decoder. The recovered 
data signal is coupled to an input of the three comparators 
having thresholds corresponding with normalized signal 
states of 17%, 50% and 83%. The resulting system effec- 
tively recovers the demodulated 2- or 4-level FSK informa- 
tion signal by coupling the recovered data signal to the 
second input of an 83% comparator, the second input of a 
50% comparator, and the second input of a 17% comparator. 
The outputs of the three comparators corresponding with the 
low (Lo), average (Avg) and high (Hi) threshold output 
signal values are coupled to inputs of a symbol decoder. The 
symbol decoder then decodes the inputs according to Table 
2. 

TABLE 2 





Threshold 




Output 




Hi 


Avg 


Lo 


MSB 


LSB 


RC in < 


RC in < 




0 


0 


RC fa < 


RCfc < 


RC in > 


0 


1 


RCfc < 


RCfc > 


RC to > 


1 


1 


RC fa > 


RCu, > 


RC to > 


1 


0 



60 
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As shown in Table 2, when the recovered data signal 
(RC (>1 ) is less than all three threshold values, the symbol 
generated is 00 (MSB=0, LSB=0). Thereafter, as each of the 
three threshold values is exceeded, a different symbol is 
generated, as shown in the table above. 

The MSB output from the 4-level decoder 810 is coupled 
to an input of the symbol synchronizer 812 and provides a 
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recovered data input generated by detecting the zero cross- 
ings in the 4-level recovered data signal. The positive level 
of the recovered data input represents the two positive 
deviation excursions of the analog 4-level recovered data 
signal above the average threshold output signal, and the s 
negative level represents the two negative deviation excur- 
sions of the analog 4-level recovered data signal below the 
average threshold output signal. 

The symbol synchronizer 812 uses a 64x clock at 102.4 
KHz which is generated by frequency divider 846, that is 10 
coupled to an input of a 32 x rate selector (not shown). The 
32x rate selector is preferably a divider which provides 
selective division by 1 or 2 to generate a sample clock which 
is thirty-two times the symbol transmission rate. A control 
signal (1600/3200) is coupled to a second input of the 32x 15 
rate selector, and is used to select the sample clock rate for 
symbol transmission rates of 1600 and 3200 symbols per 
second. The selected sample clock is coupled to an input of 
32x data oversampler (not shown) which samples the recov- 
ered data signal (MSB) at thirty-two samples per symbol. 20 
The symbol samples are coupled to an input of a data edge 
detector (not shown) which generates an output pulse when 
a symbol edge is detected. The sample clock is also coupled 
to an input of a divide-by-16/32 circuit (not shown) which 
is utilized to generate lx and 2x symbol clocks synchronized 
to the recovered data signal. The divided-by-1 6/32 circuit is 
preferably an up/down counter. When the data edge detector 
detects a symbol edge, a pulse is generated which is gated 
by an AND gate with the current count of divide-by-16/32 
circuit. Concurrently, a pulse is generated by the data edge 
detector which is also coupled to an input of the divide-by- 
16/32 circuit. When the pulse coupled to the input of the 
AND gate arrives before the generation of a count of 
thirty-two by the divide-by-16/32 circuit, the output gener- 
ated by the AND gate causes the count of divide-by-16/32 35 
circuit to be advanced by one count in response to the pulse 
which is coupled to the input of divide-by-16/32 circuit from 
the data edge detector, and when the pulse coupled to the 
input of the AND gate arrives after the generation of a count 
of thirty-two by the divide-by-16/32 circuit, the output 40 
generated by the AND gate causes the count of divide-by- 
16/32 circuit to be retarded by one count in response to the 
pulse which is coupled to the input of divide-by-16/32 
circuit from the data edge detector, thereby enabling the 
synchronization of the lx and 2x symbol clocks with the 45 
recovered data signal. The symbol clock rates generated are 
best understood from Table 3 below. 
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TABLE 3 



Input 
Clock 
(Relative) 


Control 
Input 
(SPS) 


Rate 
Selectoi 
Divide 

Ratio 


Rate 
Selector 
Output 


2X 
Symbol 
Qock 
(BPS) 


IX 
Symbol 
Clock 
(BPS) 


64X 
64X 


1600 
3200 


by 2 
by 1 


32X 
64X 


3200 
6400 


1600 
3200 



As shown in the table above, the lx and 2x symbol clocks 
are generated 1600, 3200 and 6400 bits per second and are 
synchronized with the recovered data signal. 

The 4-level binary converter 814 couples the lx symbol 
clock to a first clock input of a clock rate selector (not 
shown). A 2x symbol clock is coupled to a second clock 
input of the clock rate selector. The symbol output signals 
(MSB, LSB) are coupled to inputs of an input data selector 
(not shown). A selector signal (2L/4L) is coupled to a 
selector input of the clock rate selector and the selector input 



50 
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60 



of the input data selector, and provides control of the 
conversion of the symbol output signals as either 2-level 
FSK data, or 4-level FSK data. When the 2-level FSK data 
conversion (2L) is selected, only the MSB output is selected 
which is coupled to the input of a conventional parallel to 
serial converter (not shown). The lx clock input is selected 
by clock rate selector which results in a single bit binary data 
stream to be generated at the output of the parallel to serial 
converter. When the 4-level FSK data conversion (4L) is 
selected, both the LSB and MSB outputs are selected which 
are coupled to the inputs of the parallel to serial converter. 
The 2x clock input is selected by clock rate selector which 
results in a serial two bit binary data stream to be generated 
at 2x the symbol rate, which is provided at the output of the 
parallel to serial converter. 

Referring again to FIG. 8, the serial binary data stream 
generated by the 4-level to binary converter 814 is coupled 
to inputs of a synchronization codeword correlator 818 and 
a demultiplexer 820. Predetermined "A" codeword synchro- 
nization patterns are recovered by the controller 816 from a 
code memory 822 and are coupled to an "A" codeword 
correlator (not shown). When the synchronization pattern 
received matches one of the predetermined "A" codeword 
synchronization patterns within an acceptable margin of 
error, an "A" or "A-bar" output is generated and is coupled 
to controller 816, The particular "A" or "A-bar" codeword 
synchronization pattern correlated provides frame synchro- 
nization to the start of the frame ID codeword, and also 
defines the data bit rate of the message to follow, as was 
previously described. 

The serial binary data stream is also coupled to an input 
of the frame codeword decoder (not shown) which decodes 
the frame codeword and provides an indication of the frame 
number currently being received by the controller 816. 
During sync acquisition, such as following initial receiver 
turn-on, power is supplied to the receiver portion by battery 
saver circuit 848, shown in FIG. 8, which enabled the 
reception of the "A" synchronization codeword, as 
described above, and which continues to be supplied to 
enable processing of the remainder of the synchronization 
code. The controller 816 compares the frame number cur- 
rently being received with a list of assigned frame numbers 
stored in code memory 822. Should the currently received 
frame number differ from an assigned frame numbers, the 
controller 816 generates a battery saving signal which is 
coupled to an input of battery saver circuit 848, suspending 
the supply of power to the receiver portion. The supply of 
power will be suspended until the next frame assigned to the 
receiver, at which time a battery saver signal is generated by 
the controller 816 which is coupled to the battery saving 
circuit 848 to enable the supply of power to the receiver 
portion to enable reception of the assigned frame. 

Apredetermined "C* codeword synchronization pattern is 
recovered by the controller 816 from a code memory 822 
and is coupled to a "C codeword correlator (not shown). 
When the synchronization pattern received matches the 
predetermined "C" codeword synchronization pattern with 
an acceptable margin of error, a "C" or "C-bar" output is 
generated which is coupled to controller 816. The particular 
"C" or "C-bar" synchronization codeword correlated pro- 
vides "fine" frame synchronization to the start of the data 
portion of the frame. 

The start of the actual data portion is established by the 
controller 816 generating a block start signal (Blk Start) 
which is coupled to inputs of a codeword de-interleaver 824 
and a data recovery timing circuit 826. A control signal 
(2L/4L) is coupled to an input of clock rate selector (not 
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shown) which selects either lx or 2x symbol clock inputs. 
The selected symbol clock is coupled to the input of a phase 
generator (not shown) which is preferably a clocked ring 
counter which is clocked to generate four phase output 
signals (01-04). A block start signal is also coupled to an 
input of the phase generator, and is used to hold the ring 
counter in a predetermined phase until the actual decoding 
of the message information is to begin. When the block start 
signal releases the phase generator, it begins generating 
clocked phase signals which are synchronized with the 
incoming message symbols. 

The clocked phase signal outputs are then coupled to 
inputs of a phase selector 828. During operation, the con- 
troller 816 recovers from the code memory 822, the trans- 
mission phase number to which the financial messaging unit 
is assigned. The phase number is transferred to the phase 
select output (0 Select) of the controller 816 and is coupled 
to an input of phase selector 828. A phase clock, correspond- 
ing to the transmission phase assigned, is provided at the 
output of the phase selector 828 and is coupled to clock 
inputs of the demultiplexer 820, block de-interleaver 824, 
and address and data decoders 830 and 832, respectively. 
The demultiplexer 820 is used to select the binary bits 
associated with the assigned transmission phase which are 
then coupled to the input of block de-interleaver 824, and 
clocked into the de-interleaver array on each corresponding 
phase clock. In a first embodiment, the de-interleaver uses 
an 8x32 bit array which de-interleaves eight 32 bit inter- 
leaved address, control or message codewords, correspond- 
ing to one transmitted information block. The de-interleaved 
address codewords are coupled to the input of address 
correlator 830. The controller 816 recovers the address 
patterns assigned to the financial messaging unit, and 
couples the patterns to a second input of the address corr- 
elator. When any of the de-interleaved address codewords 
matches any of the address patterns assigned to the financial 
messaging unit within an acceptable margin of error (e.g., 
the number of bit errors correctable according to the code- 
word structure selected), the message information and cor- 
responding information associated with the address (e.g., the 
information representing the broadcast and received selec- 
tive call signalling message, which was previously defined 
as message related information) is then decoded by the data 
decoder 832 and stored in a message memory 850. 

Following the detection of an address associated with the 
financial messaging unit, the message information is 
coupled to the input of data decoder 832 which decodes the 
encoded message information into preferably a BCD or 
ASCII format suitable for storage and subsequent display. 

Alternatively, the software based signal processor may be 
replaced with a hardware equivalent signal processor that 
recovers the address patterns assigned to the financial mes- 
saging unit, and the message related information. Following, 
or prior to detection of an address associated with the 
financial messaging unit, the message information and cor- 
responding information associated with the address may be 
stored directly in the message memory 850. Operation in this 
manner allows later decoding of the actual message 
information, e.g., that encoded message information that 
decodes into a BCD, ASCII; or multimedia format suitable 
for subsequent presentation. However, in performing direct 
storage, the memory must be structured in a manner that 
allows efficient, high speed placement of the message infor- 
mation and corresponding information associated with the 
address. Additionally, to facilitate the direct storage of 
message information and corresponding information asso- 
ciated with the address in the message memory 850, a 
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codeword identifier 852 examines the received codeword to 
assign a type identifier to the codeword in response to the 
codeword belonging to one of a set comprising a vector field 
and a set comprising a message field. After determining the 

5 type identifier, a memory controller 854 operates to store the 
type identifier in a second memory region within the 
memory corresponding with the codeword. The above 
memory structure and operation of the de -interleaved infor- 
mation memory storage device comprising the message 

10 memory 850, the codeword identifier 852, and the memory 
controller 854, are more fully discussed in the patents 
incorporated below. 

Following the storage of the message related information, 
a sensible alert signal is generated by the controller 816. The 

1 5 sensible alert signal is preferably an audible alert signal, 
although it will be appreciated that other sensible alert 
signals, such as tactile alert signals, and visual alert signals 
can be generated as well. The audible alert signal is coupled 
by the controller 816 to an alert driver 834 which is used to 

20 drive an audible alerting device, such as a speaker or a 
transducer 836. The user can override the alert signal 
generation through the use of user input controls 838 in a 
manner well known in the art. 
The stored message information can be recalled by the 

25 user using the user input controls 838 whereupon the con- 
troller 816 recovers the message information from memory, 
and provides the message information to a display driver 
840 for presentation on a display 842, such as an LCD 
display. 

In addition to the preceding description, the systems 
previously discussed in reference to FIGS. 1, 2, 7 and 8, and 
protocol previously discussed in reference to FIGS. 3, 4 and 
5 may be more fully understood in view of the following 

35 U.S. Pat. No. 5,168,493 entitled "Time Division Multi- 
plexed Selective Call System" issued to Nelson et al., U.S. 
Pat. No. 5,371,737 entitled "Selective Call Receiver For 
Receiving A Multiphase Multiplexed Signal" issued to Nel- 
son et al., U.S. Pat. No. 5,128,665 entitled "Selective Call 

40 Signalling System" to DeLuca et al., and U.S. Pat. No. 
5,325,088 entitled "Synchronous Selective Signalling Sys- 
tem" to Willard et al., all of which are assigned to Motorola, 
Inc., and the teachings of which are incorporated herein by 
reference thereto. 

45 Referring to FIG. 9, a diagram shows a secure messaging 
system 900 in accordance with the present invention. 

The paging terminal 102 or wireless selective call signal- 
ling system controller, receives information comprising a 
selective call message request including a destination iden- 

50 tifier and a secure financial transaction message. The infor- 
mation is typically coupled to the paging terminal 102 via a 
Public Switched Telephone Network (PSTN) 912 which 
serves to transport the information from a regulator 914 such 
as a bank, credit card issuer or the like. The PSTN 912 may 

55 be coupled to the paging terminal 102 and the regulator 914 
using conventional phone lines 910 or possibly a high speed 
digital network, depending on the information bandwidth 
required for communicating financial transactions between 
the regulator 914 and a plurality of one financial messaging 

60 unit 906. Once coupled to the paging terminal 102, the 
information is formatted as one or more selective call 
messages and transferred 922 to at least one radio frequency 
transmitter 904 for broadcast to at least one financial mes- 
saging unit 906 located in any one of a number of commu- 

65 nication zones 902. The financial messaging unit 906 may 
include an interface that couples unencrypted or encrypted 
information such as the secure financial transaction message 
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to a conventional Smart Card 920 for effecting a financial are limited in range and dispersion. In particular, transmis- 

transaction. Alternatively, the secure financial transaction sion by an optical device is line of sight and extremely 

message may be decoded and stored by the financial mes- directional, thus thwarting any unwanted interception by an 

saging unit 906 when the financial messaging unit 906 unauthorized party. Similarly, if an acoustic or low power 

includes capabilities, e.g., cash load and reload and/or credit 5 electromagnetic device is employed for reverse or local 

services, such as found in a Smart Card 920. channel communications, interception of the communica- 

Two-way capability is provided for the financial messag- tions is difficult due to the limited range and duration of the 

ing unit 906 using either a wired or a wireless return path. communications. 

By way of example, the secure financial transaction message Regarding the security of communications, several cryp- 

is received by the financial messaging unit 906 which 10 tographic methods are suitable for use with the present 

decodes and decrypts a content of the secure financial invention. The following definitions are useful in under- 

transaction message that may represent a cash value token, standing the terminology associated with cryptography as 

credit, or debit amount. This message content is then stored applied to wired or wireless communications contemplated 

by the financial messaging unit 906 pending confirmation of f or use w j m the present invention. 

receipt and a subsequent release of funds or authorization of 15 Certificate — Certificates are digital documents attesting to 

credit by the regulator. If the financial transaction value is ^ b^ing of a public key to an individual or other entity, 

high, the regulator will typically require an acknowledgment Certificates are issued by a Certification Authority (CA), 

from the financial messaging unit 906 before the received wn i c h can be any trusted central administration willing to 

token based funds are activated, or before a credit or debit youch for the identities of those to whom it issues certifi- 

transaction is allowed. However, if the financial transaction 20 cates. A certificate is created when a CAsigns a user's public 

value is low, the regulator may not require an acknowledg- key phls other identifying information, binding the user to 

ment from the financial messaging unit 906 before the their public key. Users present their certificate to other users 

received token based funds are activated, or before a credit {Q demonstrate the validity of their public keys, 

or debit transaction is allowed. In case of a low value Confidentiality-The result of keeping information secret 

transaction, the financial messaging unit 906 may only be 25 from ^ bm thQ&e who are authorized to see it C onfiden- 

required to reconcile its fund or credit capacity one a day, or ^ ^ ^ ^ as pHvacy 

wc ^' . , -11 * * j • mo o 11 ™ Cryptographic Protocol — A distributed algorithm defined 

The secure messaging system illustrated m FIG. 9 allows a ^ q ° ei f ce of steps pre cisely specifying the actions 

wireless return or origination of secure financial transaction > ' ^ ^ or ^ to & dfic 

messages using a reverse or inbound channel received by 30 ob - ect j ve 

distributed receiver sites 908. These sites are typically more J . . 

dense that the outbound broadcast sites 904 since the trans- u Data ^egmy-The assurance that information has not 

mitter power and antenna characteristics of the financial been altered by unauthorized or unknown means. 

messaging unit 906 are significantly inferior to that of a Decryption— The process of transforming encrypted 

dedicated radio frequency base station and wide area trans- 35 information (cipher text) into plain text. 

mitter site 904. Thus, the size and weight of a financial DES (Data Encryption Standard)— A symmetric encryp- 

messaging unit 906 is kept to a minimum, yielding a more tion cipher defined and endorsed by the U.S. government as 

ergonomic portable device with the value added function of an official standard. It is the most well-known and widely 

not requiring a physical connection to effect financial trans- used cryptosystem in the world. 

actions such as bank withdrawals, deposits, credit card 40 Diffie-Hellman — The DifBe-Hellman key agreement pro- 
payments, or purchases. The secure messaging system is tocol provided the first practical solution to the key distri- 
preferably designed to accommodate low power secure bution problem by allowing parties to securely establish a 
financial messaging unit 906 that include devices such as a shared secret key over an open channel. The security is 
message origination unit 1038 and transducer 1040 for based on the discrete log problem. 

implementing the return or origination of secure financial 45 Digital Signature — A data string which associations a 

transaction messages using a reverse or inbound channel 924 message (in digital form) with the originating entity. This 

that is preferably accessed at a merchant 916. Such return or cryptographic primitive is used to provide authentication, 

origination messages are coupled to a regulator or bank 914 <jata integrity and non-repudiation. 

via an Automatic Teller Machine (ATM) 926, a point of sale Discrete Log Problem— The requirement to find the expo- 
terminal 928 or the like. These ATMs point of sale terminals 50 x ^ ^ formula y=g * mod p ^ bg problem 
necessarily include transducers with reciprocal properties to ^ 5elieved ^ be difficult an d the hard direction of a one-way 
those found in the message origination unit 1038. In these fu nct i on 

cases, the low power secure financial messaging ; unit ^906 . (ECC)— A public-key cryp- 

compnses an infrared or laser {osy J m based ^ j^te logarithm problem over 

proximate magnetic induct ^^^ 55 elliptic curves. ECC provides the highest strength-per-bit of 

possibly an acoustic, e.g ultrasonic or audi band acous t c P J ^ of much smaUer 

transducer port, any of which operate couple signals £ r J J ' a 

, ^ J fl r • 1 public-keys compared to other systems, 
between the lower power secure financial messaging unit v \ Jr * r - 1 • * * • * 
906 and the ATM 926, the point of sale terminal 928, or the Encryption— The process of transforming plain text into 
like. In this way, financial transactions can be effected based 60 cipher text for confidentiality or privacy, 
on a remote transaction request typically made through a Entity Authentication— The corroboration of the identity 
bank 914 or issuer, as well as financial transactions locally of an entity (e.g., a person, financial messaging unit, corn- 
requested by a user having a suitable secure financial puter terminal, Smart Card, etc.). 

messaging unit 906. It is important to note that local, low Factoring — The act of splitting an integer into a set of 

power origination, confirmation, and authentication carried 65 smaller integers which, when multiplied together, form the 

out by the secure financial messaging unit 906complements original integer. RSA is based on the factoring of large prime 

the overall system security since the wireless transmissions numbers. 
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Information Security Functions— The processes of and public-key systems are often combined in a system to 

encryption and digital signatures which provide information take advantage of the benefits of each, 

security services. Also known as security primitives. Asymmetric-Key Encryption — A cryptosystem in which 

Information Security Services— The purpose of utilizing for each party holds encryption/decryption key pairs with 

information security functions. Services include privacy or 5 varying strength, e.g., a shorter key may be used in situations 

confidentiality, authentication, data integrity and non- requiring less security, while a longer key is used in situa- 

repudiation. tions requiring greater security. As with symmetric-key 

Key— A value in the form of a data string used by encryption systems, asymmetric systems pose significant 

information security functions to perform cryptographic key management problems. 

computations 10 Verification — The process of confirming that a digital 

Key Agreement-Akey establishment technique in which signature, and therefore an entity or a message, is authentic, 

a shared secret is derived by two or more parties as a The following examples illustrate systems that may be 

function or information contributed by, or associated with, used to implement a secure messaging system in accordance 

each of these such that no party can predetermine the lf with the present invention. 

resulting value. Using ECC Algorithms, a secure signature with hash is 

Key Establishment — Any process whereby a shared generated based on the following information: 

secret key becomes available to two or more parties, for P is a generating point on the curve and has order n. 

subsequent cryptographic use. H is a secure hash algorithm such as SHA-1. 

Key Management— The set of processes and mechanisms 20 M ^ a bit string t0 be signed by an entitv A 

which support key establishment and the maintenance of A ^ & fc & ^ a bUc key y ^ 

ongoing keying relationships between parties. To ^ signature> Eatity A does the following: 

Key Pair-The public key and private key of a user or e fa an ) 

entity in a public-key cryptosystem. Keys in a key pair are r \ . , 

mathematically related by a hard one-way function. 25 2. Generate a random integer k 

Key Transport— A key establishment technique where 3 * Compute R=kP=(x,y) 

one party creates or otherwise obtains a secret value and 4. Convert x to an integer, 

securely transfers it to the other party or parties. 5. Compute r=x+e mod n 

Message Authentication — The corroboration of the 3Q 6. Compute s=k-ar mod n. 

source of information; also known as data original authen- 7 j be sign^re j s 

tication. Since R=kp is computed independently of the message M 

Message Authentication Code (MAC)— A hash function it could be pre-computed prior to signing M which occurs in 

which involves a secret key, and provides data original s t e p S (5) and (6). In this procedure, the time to hash and 

authentication and data integrity. The MAC is also referred 35 generate a random number is taken to be negligible in 

to as a transaction authentication code, wherein a message comparison with other operations performed. Finally, pre- 

may contain at least one transactions. computation of certain functions may be performed to speed 

Non-repudiation— The prevention of the denial of previ- up the computation of kP in step (3). 

ous commitments or actions. Non-repudiation is achieved Any entity B can verify A's signature (r,s) on M by 

using digital signatures. *o performing the following steps: 

Private Key — In a public-key system, it is that key in a 1. Obtain A's public key Y a =aP. 

key pair which is held by the individual entity and never 2. Compute u=sP 

revealed. It is preferable to embed the private key in a 3 Compute V^rYa 

hardware platform as a measure to keep it hidden from ^ Compute u+v=(x' y') 

unauthorized parties. 45 • P 

. , . . . « . 1 5. Convert x to an integer. 

Public Key — In a public key system, it is that key in a key ° 

pair which is made public. 6 - Com P ute e '~ r - x mod n * 

Public-Key Cryptography-A cryptographic system that ^ C ° m P ute G=R( ^> *? d ™? ^ ^ . 

uses different keys for encryption (e) and decryption (d), $Q Jh* following example illustrates encryption using an 

where (e) and (d) are mathematically linked. It is computa- elliptic curve encryption scheme, ^sume that Entity A has 

tionally infeasible to determine (d) from (e). Therefore, this a private key a and public key Ya=aP where P is a generating 

system allows the distribution of the public key while point- Entity B encrypts bit string M to entity A using the 

keeping the private key secret. Public-key cryptography is following procedure: 

the most important advancement in the field of cryptography 55 1. B obtains A's public key Y a 

in the last 2000 years. 2. B generates random integer k. 

RSA— A widely used public-key cryptosystem, named 3. B computes R=kP. 

after its inventors R. Rivest, A. Shamir, and L. Adleman. The 4 B computes S=kY fl =(x,y) 

security of RSA is based on the intractability of the integer 5 R co Us c . =m JLf / X Y 

factorization problem. 60 " „ , /T1 1 1 . ' A 

r . , . , 6. B sends (R,c„ ... c_) to A. 

Symmetric-Key Encryption-A cryptosystem m which wherc fo(x)=SHA „ 1(x || 0) ^ ^-SHA-lft^WIN© 

for each associated encryption/decryption key pair, (e,d), it Alternatively, if RSA cryptography is used, the following 

is computationally easy to determine d knowing only c, and definitions a ' crtineQ t: 

to determine e from d. In most practical symmetric-key * 

encryption schemes e-d. Although symmetric systems are 65 a * me moc ™lus. 

efficient for bulk encryption of data, they pose significant d is the private key and the public exponent for entity A. 

key management problems. Consequently, symmetric-key M is a bit string to be signed. 
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An RSA signature is generated by Entity A as follows: the RF receiver 804, RF transmitter 1030 and a selective call 

1. Compute m=H(M), an integer less than n. decoder 1004. The selective call decoder 1004 comprises a 

o rnmmitp c=m<* mnd n processing unit 1006, and its associated random access 

z. (Lompute s=m moo n memory (RAM) ^ rcadonly mcmory ^ QM) im and 

3 11k signature is s. s universal mpu t/output (I/O) module 1012. The primary 

RSAsigmng as described above creates digital signatures ^ ^ dcc oder 1004 is to detect and 

with appendix. In contrast to the ECC signing discussed decode mformalioQ contained in si m intended for 

previously, no pre-computation is possible when using RSA. re t ^ me ^ 90fi m 

Note that the signing requires one exponentation by the a 2 _4/ implementation that includes the opti onal reverse 

private exponent V . channel transmitter block 1036 and/or the message origina- 

Entity B can verify A s signature S on M usmg the ^ ^ ^ ^ ^ dea)der 10Q4 may also 

following procedure. function as an encoder to generate and deliver requests or 

1 . Obtain A's public exponent e and modulus n. messages to the regulator 914, a user, or other on-line system 

2. Compute m*=s c mod n. ( no t shown). 

3. Compute m=H(M). as Additionally, the financial messaging unit 906 comprises 

4. Verify that m*=m a secure decoding or Smart Card function module 1014 that 
In RSA verification, one exponentation by the public serves as a second financial transaction processor. This 

exponent e is required, e is preferably selected to be 64 module comprises control logic 1016, a message entry 

random bits. Similarly, for RSA encryption, one exponen- device 1018, a security code processor 1020, a secure ROM 

tation is required with a public exponent and the public 20 1022, a secure programmable read only memory (PROM) 

exponent should be at least 64 bits long for minimum 1024, and a Smart Card input/output (I/O) module 1026. 

security. Certain financial groups have proposed standards for 

In view of the preceding discussion, the remainder of the effecting end-to-end transaction security in the land-line 

secure messaging system is described with reference to wired environment. The standards proposed for securing 

FIGS. 10-16. One of ordinary skill in the art will readily 25 electronic financial transactions are based on a peer-to-peer 

discern that the system discussed herein may be modified to closed loop system in which the sending party (e.g., a 

take best advantage of the disclosed or similar cryptographic regulator or issuer such as a bank, or VISA™) generates a 

schemes to insure complete integrity of the secure financial secure transaction that comprises a value amount and an 

transaction. authentication code. The secure transaction is communi- 

Referring to FIG. 10, the illustration shows a high level 30 cated 924 to a requesting party via a device such as an ATM 

block diagram of a financial messaging unit 906 in accor- 926. In order to establish and complete a transaction, the 

dance with the preferred embodiment of the present inven- requesting party inserts a Smart Card 920 into the ATM, 

t j on enters an identification code, and requests a value to be 

One possible embodiment of a financial messaging unit placed in the Smart Card 920. The transaction processing 

906 is a conventional paging device and Smart Card 920 35 system authenticates the Smart Card 920, the requesting 

combination as shown in FIG. 10. Here, a mechanical slot party's financial status (e.g., account balance, credit 

and standard Smart Card connector 1042 are incorporated availability, etc.) and either completes or denies the trans- 

into the paging device's housing so that a Smart Card 920 action. 

can be inserted into the housing in a manner that establishes Accordingly, in view of the above requirements, the 

electrical contact between the card and the financial mes- 40 control logic 1016 operates to govern operation of the 

saging unit's 906 electronics. Alternatively, the electronics components associated with the Smart Card function module 

required to implement a Smart Card 920 are moved or 1014 to implement and maintain end-to-end security in a 

integrated into the financial messaging unit 906so the finan- secure financial transaction message, The control logic 1016 

cial messaging unit 906 functions as a true wireless Smart insures that any contents associated with the secure financial 

Card or wireless ATM. 45 transaction message are kept in their encrypted state from a 

Operationally, the incoming signal is captured by the regulator 914 until they are actually decrypted by the Smart 
antenna 802 coupled to the receiver 804 which detects and Card function module 1014 or an associated Smart Card 
demodulates the signal, recovering any information as pre- 920. Therefore, sensitive information such as a private 
viously discussed with reference to FIG. 8. Alternatively, the encryption key, cash load values, credit or bank account 
financial messaging unit 906 contains a low power reverse 50 numbers, or the like, are stored in the secure PROM 1024. 
channel transmitter 1034, power switch 1032, and transmit Similarly, the secure ROM 1022 may store processing 
antenna 1030 for either responding to an outbound channel routines that decrypt and encrypt information exchanged 
query or generating an inbound channel request. Instead of between the Smart Card function module 1014 and a regu- 
the portable transmitter 1034 (e.g., a low power radio la tor 914, merchant 916, or another Smart Card 920. 
frequency device) and its associated components, the alter- 55 The message entry device 1018 allows a user to initiate a 
native transmission block 1036 may contain either uni- or cash load request, cash transaction, credit transaction, or the 
bi-directional communication transducers, or preferably in a like. Typically, a user might enter a request using a 
1-way device, a message origination unit 138 comprising a keyboard, a voice activated recognition device, a touch- 
transducer 1040 is coupled to the processor 1006 in the sensitive device (erg., screen or pad), or other convenient 
secure financial messaging unit 906. Examples of suitable 60 data entry device. In the present invention, a user may 
transducers are optical devices like lasers or light emitting request transaction based information be communicated 
diodes (LED), extremely low power magnetic field indue- with the financial messaging unit 906, stored in the financial 
tive or electric field capacitive structures (e.g., coils, trans- messaging unit 906 for later transfer to the Smart Card 920, 
mission lines or the like), and possibly acoustic transducers or passed directly to the Smart Card 920. In this way, the 
in the audio or ultrasonic range. 65 financial messaging unit 906 acts like a portable ATM, 

An input/output (I/O) switch 1002 serves to direct the allowing a user to effect financial transactions without 

incoming or outgoing radio frequency (RF) energy between actually visiting a physical ATM. 
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In the case where the financial messaging unit 906 acts 
like a portable ATM with origination capability, the Smart 
Card function module 1014 operates as a second secure 
message generator coupled to the financial messaging unit to 
create a financial transaction request. Once created, a por- 5 
table transmitter 1034 coupled to the secure message gen- 
erator operates to broadcast the financial transaction request 
to a selective call message processor 1104. A receiver 1204 
coupled to the selective call message processor 1104operates 
to receive and couple the financial transaction request to the 10 
selective call message processor 1104. In this way, the 
financial messaging unit 906 can perform financial transac- 
tions without requiring a physical connection to a land-line 
hard wired network or PSTN. 

With regard to the implementation of a radio frequency 15 
enabled reverse channel financial messaging unit 906 as 
discussed herein, the invention preferably operates using the 
Motorola ReFLEX™ 2- way wireless paging system infra- 
structure and protocol which is described in detail in the 
following documents; 20 

It should be appreciated that the use of the instant inven- 
tion in other 2-way communication systems such as cellular 
and radio packet data systems is contemplated. 

Certain financial groups have proposed standards for 
effecting end-to-end transaction security in the land-line 25 
wired environment. The standards proposed for securing 
electronic financial transactions are based on a peer-to-peer 
closed loop system in which the sending party (e.g., a 
regulator or issuer such as a bank, or VISA™) generates a 
secure transaction that comprises a value amount and an 30 
authentication code. The secure transaction is communi- 
cated to a requesting party via a device such as an Automatic 
Teller Machine (ATM). In order to establish an complete a 
transaction, the requesting party inserts a Smart Card 920 
into the ATM, enters an identification code, and requests a 35 
value to be placed in the Smart Card 920. The transaction 
processing system authenticates the Smart Card 920, the 
requesting party's financial status (e.g., account balance 
credit availability, etc.) and either completes or denies the 
transaction. 40 

In a broader application, the financial messaging unit 906 
may be adapted to communicate, sensitive messages or data, 
as well as electronic funds transfer information can be 
securely transferred to the intended recipient device via a 
paging channel or the like. 45 

Referring to FIG. 11, the block diagram illustrates mes- 
sage composition and encryption equipment that could be 
used on the premises of a financial institution to send secure 
electronic funds transfer authorizations to financial messag- 
ing units via a paging channel or the like. 50 

Specifically, both direct branch and customer calls are 
received by a first financial transaction processor 1100 
comprising a transaction processing computer 1102, a mes- 
sage processing and encryption computer 1104 or selective 
call message processor that operates as a first secure mes- 55 
sage generator, a first secure message decoder, and a selec- 
tive call message distributor, all being functions of the 
selective call message processor 1104, a subscriber database 
1106, and a security code database 1108. The transaction 
processing computer 1102 receives financial transaction 60 
requests and communicates with the message and encryption 
processor 1104 to generate and encrypt secure financial 
transaction message based on information contained in the 
security code database 1108 corresponding with the 
requester and the transaction type. The message processing 65 
and encryption computer 1104 also determines a destination 
identifier from information contained in the subscriber data- 
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base 1106, which allows the selective call message distribu- 
tor to communicate the destination identifier and its corre- 
sponding secure financial transaction message to a selective 
call transmission service 904. The destination identifier may 
correspond with a conventional paging address, a cellular 
telephone address, or any other address that uniquely iden- 
tifies a destination associated with the secure financial 
transaction message. 

The message composition and encryption equipment 
illustrated in FIG. 11 would typically be used on the pre- 
mises of a financial institution to send secure electronic 
funds transfer authorizations to financial messaging units 
906 (e.g., "wireless ATM" devices) via a conventional 
paging channel or the like. In the following examples, the 
transaction information is composed using standard finan- 
cial computers and data structures, and the message is 
encrypted using the public and private keys assigned to 
target device and transaction, respectively. The keys 
assigned to each device, along with their paging addresses, 
are stored in the user database associated with the processing 
computer. After each message is encrypted, it is sent like a 
normal paging message to the paging system via the public 
telephone system. 

The first financial transaction processor 1100 will be more 
fully discussed with reference to FIG. 12 which integrates 
the first financial transaction processor 1100 with a wireless 
selective call signaling system controller. 

Referring to FIG. 12, the illustration shows a functional 
diagram of a wireless selective call signaling system con- 
troller that implements a combined 1-way and 2-way secure 
messaging system capable of signalling the financial mes- 
saging units. 

The wireless selective call signaling system controller 
1200 comprises the first financial transaction processor U00 
along with a transmitter 104 and associated antenna 904, and 
in 2-way RF systems, at least one receiver 1202 system 
comprising a received signal processor 1204 and at least one 
receive antenna 908. Preferably, several of at least one 
receiver 1202 systems may be distributed over a wide 
geographical area to receive the low power transmissions 
broadcast by 2-way financial messaging units 906. The 
number of receiver 1202 systems in any given geographical 
area is selected to insure adequate coverage for all inbound 
transmissions. As one of ordinary skill in the art will 
appreciate, this number may vary greatly depending on 
terrain, buildings, foliage, and other environmental factors. 

The wireless selective call signaling system controller 
1200 represents a closely coupled implementation of the 
overall secure messaging system. In practice, a regulator 
(e.g., bank, credit card issuer, etc.) may not want the 
responsibility of maintaining the RF infrastructure, i.e., the 
transmitter 104 and associated antenna 904, and the at least 
one receiver 1202 system. Consequently, a conventional 
wireless messaging service provider or the like would pro- 
vide and maintain the RF infrastructure, and the regulator 
would utilize that RF infrastructure in a conventional man- 
ner to communicate secure financial transaction messages 
between the regulator and the financial messaging units 906. 

As a first alternative to the preceding operation, the 
selective call signaling system controller 1200 may operate 
to encrypt, encode, and transmit secure financial transaction 
messages received from a regulator, where the first financial 
transaction processor 1100 has generated and encrypted the 
secure financial transaction message, and the selective call 
signaling system controller 1200 further encrypts the secure 
financial transaction message, for a second time. This 
increases the level of security of an associated secure 
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financial transaction message by encapsulating it using a selective call protocol, e.g., from a FLEX™ or POCSAG 

second, unrelated encryption. Subsequently, the financial data or information word, or decoding can include the step 

messaging unit 906 decodes and decrypts the doubly of decrypting the secure financial transaction message to 

encrypted message, revealing the secure financial transac- recover its contents representing an electronic cash token 

tion message in its encrypted state, and thus maintaining the 5 value, a credit value, a debit value, or other information 

end-to-end security required for a financial transaction. relating to a secure financial transaction such as crypto- 

Similarly, the selective call signaling system controller 1200 graphic message or session keys. According to the content of 

receives messages originating from the financial messaging the secure financial transaction message, the control logic 

unit 906 and passes the secure financial transaction message 1016 and processor 1006 operate to execute instructions 

in its encrypted state to a regulator for decryption and 10 1412 pertinent to the financial transaction being executed, 

processing. Referring to FIG. 15, the illustration shows a typical 

As a second alternative to the preceding operation, the sequence associated with requesting and authorizing the 

selective call signaling system controller 1200 may operate electronic transfer of funds or debit of funds by and from a 

to encode and transmit secure financial transaction messages wireless financial messaging unit. 

communicated between the regulator and the financial mes- 15 A financial transfer sequence is initiated 1500 by a 

saging unit 906. In this case, the first financial transaction customer calling his or her bank 1502, identifying them- 

processor 1100 at the regulator has generated and encrypted selves 1504 via a PIN number or other account information 

the secure financial transaction message, and the selective 1506, and requesting a transfer or other financial transaction 

call signaling system controller 1200 operates to associate a 1508 for communication to their wireless financial messag- 

selective call address with the secure financial transaction 20 ing unit 906. 

message based on a received destination identifier, then After verifying the identity of the customer 1510 and the 
transmit a resulting selective call message for receipt by the appropriate account information 1512, the bank or regulator 
financial messaging unit 906. Subsequently, the financial initiates a sequence of events to effect the electronic transfer 
messaging unit 906 decodes the selective call message, of the funds, granting of credit, or the like 1604. In a first 
revealing the secure financial transaction message in its 25 case, a financial transaction is approved when the financial 
encrypted state, and thus maintaining the end-to-end secu- transaction request is authenticated as originating from an 
rity required for a financial transaction. As with the prior authorized party and the financial transaction is permitted by 
operation, the selective call signaling system controller 1200 a regulator 1514. Typically, regulators permit financial trans- 
further operates to receive messages originating from the actions when a party has sufficient funds as in a cash load or 
financial messaging unit 906 and passes the secure financial 30 debit request, or when a party has sufficient credit available 
transaction message in its encrypted state to a regulator for to complete a transaction. Preferably, upon approval, the 
decryption and processing. financial messaging unit 906 prompts the user to wait for the 
Referring to FIG. 13, the illustration shows the various transaction 1520 and the system begins completion of the 
layers of a messaging system in a format that is similar to the financial transaction 1522. 

Organization Standards International (OSI) stack diagram 35 In a second case, the first financial transaction processor 

that is well known in the electronics industry. denies completion of the financial transaction based on the 

With respect to the present invention, the network layer financial transaction request when at least one of the finan- 

1302 is a point at which financial transactions are created. cial transaction request is not authenticated as originating 

These financial transactions are then communicated to a from an authorized party and the financial transaction is not 

messaging layer 1304 where appropriate selective call mes- 40 permitted by a regulator 1516. Topically, regulators deny 

sages are formed for inclusion in a transport protocol such financial transactions when a party has insufficient funds in 

as Motorola's FLEX or POCSAG. The channel signalling the cash load or debit request, or when a party has insuffi- 

layer 1306 or transport layer represents the point where the cient credit available to complete a transaction. If the 

low level transport protocols mentioned above are imple- regulator denies the financial transaction, the request is 

mented. Finally, the RF channel 1308 is the physical media 45 terminated 1518 and the financial messaging unit 906 

on which the low level transport protocol communicates the returns to normal operation. 

selective call messages containing the financial transactions. Referring to FIG. 16, the illustration shows a typical 

Referring to FIG. 14, the flow diagram shows typical sequence associated with the wireless transfer of funds or 

operation of a financial messaging unit in accordance with debit of funds by and from a wireless financial messaging 

the preferred embodiment of the present invention. 50 unit in both a 1-way and a 2- way secure communication 

When activated 1400, the financial messaging unit 906 system, 
(denoted as a pager for clarity of explanation) operates Completion of the financial transaction 1522 begins by 
"normally," that is, it waits in a standby state 1402 searching the regulator or issuer looking up the destination identifier 
for its selective call address 1404. If the financial messaging and security code (e.g., public or private key) for a user 
unit detects its address, and in particular it detects a security 55 account 1602 associated with at least one financial messag- 
address 1406, e.g., a specific selective call address associ- ing unit 906. The secure messaging system then generates 
ated with a single unique account, or one of several unique the secure financial transaction message which is commu- 
accounts, the financial messaging unit 906 recovers the nicated to the wireless selective call signaling system con- 
secure financial transaction message to effect a financial troller where the selective call message processor 1104 
transaction. If steps 1404 or 1406 fail, control returns to step 60 executes a control program that receives selective call 
1402 in which the financial message unit resumes normal message requests comprising a destination identifier and the 
operation. Once the financial messaging unit 906 determines secure financial transaction message and encapsulates the 
that a secure financial transaction message is received, the secure financial transaction message in a selective call 
Smart Card function module 1014 is activated 1408 and the message that includes a selective call address corresponding 
secure financial transaction message may be decoded 1410. 65 with the destination identifier. This selective call message is 
Decoding as mentioned here can represent the recovery of then distributed to a selective call transmission service in 
the secure financial transaction message from the native response to the destination identifier. The selective call 
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transmission service broadcasts the selective call message to the secure financial messaging unit. Specifically, SET 

the financial messaging unit 906 that receives the selective requires that in most cases a Smart Card 920 device or other 

call message. Optionally, the financial messaging unit 906 device operating as a Smart Card (e.g., an enabled secure 

may send a first message prompting the user to insert a financial messaging unit 906) communicate bi-directionally 

Smart Card 920 for funds transfer or the like. The bank 5 with a regulator to effect a financial transaction 

would then wait 1606 an appropriate time period 1608, then Consequently, an conventional 1-way wireless communica- 

send a data transmission comprising information with the tion device like a pager cannot an will not be accepted or 

account number of the Smart Card 920 to be credited, the approved for use as a wireless financial messaging unit, 

amount of the transaction, and coded information to verify However, using the features discussed in reference to the 

that the Smart Card 920 to be debited is valid and not a 10 instant invention, a conventional 1-way paging device, or 

counterfeit 1610. Obviously, if the Smart Card 920 is any other device (e.g., an electronic wallet) capable of being 

integrated with the financial messaging unit 906, steps 1604, adapted for operation like a conventional 1-way paging 

1606, and 1608 need not be perfo rmed. A bank will typically device, can be modified to include a local or wide area 

record 1612 the success or failure of a transaction upon its communication capability required to "close the loop" with 

completion 1614. 15 the regulator. 

In a financial messaging unit 906 having 2-way capability To further accommodate such financial messaging units 
1616, the bank can wait for receipt of an acknowledgment 906, the SET protocol is preferably extended to allow 
1618 comprising a returned secure financial transaction non-real time confirmation and authentication of financial 
message that confirms execution of the financial transaction. transactions. Since typical SET confirmation and authenti- 
When the financial transaction is successfully completed, an 20 cation messages are much too long to enter manually using 
optional message may be presented 1624 to the user at the a DTMF keypad or the like (several hundred keystrokes 
financial messaging unit 906 before the financial messaging would be required), the transducer 1040 in the message 
unit 906 returns to an idle state 1626. Alternatively, if no origination unit 1038 is used to generate reverse channel 
acknowledgment is received after a predetermined delay communications under control of the processor 1006 and the 
period 1620, the bank may re-initiate the prior financial 25 Smart Card function module 1014. For example, if an 
transaction 1622. acoustic audio transducer is selected it might be used to 
In a variation of the operation discussed in reference to generate DTMF dialing codes, then send the encrypted 
FIGS. 14-16, the user may remain in communication during communication of the confirmation response via the PSTN 
the financial transaction, and the bank may receive a non- 912 using International Telecommunication Union (ITU) 
real time acknowledgment that the transaction was com- 30 modem standards, e.g., V.22, V.32, V.34, or the like, 
pleted successfully using an alternate path, i.e., one other Currently, a SET transaction is secure not only because of 
than the RF reverse channel. This can be accomplished by its encrypted state, but because of a finite time associated 
either using a 1-way or 2-way paging device in a wired ATM with a financial session established to effect the financial 
machine, or by having the user remain on a phone or other transaction. This time window during which the financial 
communication device during the entire transaction. 35 transaction must be completed can be modified in instances 
Additionally, a distinctive audio alert pattern can be gener- where a financial transaction such as a fund transfer (cash 
ated by the financial messaging unit 906 to signal that the load) between a bank and a financial messaging unit 906, 
financial transaction has been completed without error. between two financial messaging units 906, or possibly 
Additionally, if an address is detected that is associated between a Smart Card 920 at a first location and a financial 
with a normal messaging function, the financial messaging 40 messaging units 906 or Smart Card 920 in a second location 
unit 906 will operate as a normal paging device. However, inserted in a financial messaging unit 906 is requested, 
if the detected address is associated with a secure data According to the present invention, a conventional selec- 
transmission address, the secure decoder module may be tive call message is broadcast to a selected financial mes- 
activated, the received secure financial message may be saging unit 906, the conventional selective call message 
decrypted, and the information contained in the message 45 containing a secure financial transaction. The selected finan- 
would be processed in accordance with either the contents of cial messaging unit 906 receives and decodes the conven- 
the message or with the rules associated with the received tional selective call message, then presents a user with a 
address. notification that a financial transaction is in progress, option- 
Referring to FIG. 17, the flow diagram depicts a typical ally indicating an action required and possibly the type of 
sequence associated with either authentication or confirma- 50 transaction being effected. For example, if a business trav- 
tion of a wireless transfer of funds, debit of funds, or credit eler needed more money during an extended business trip, 
transaction between a wireless financial messaging unit and conventional wisdom dictates that he would visit a bank or 
a regulator in either a 1-way or a 2-way secure communi- other source of cash. However, with a financial messaging 
cation system. unit 906, the business traveler could request more funds by 
In order to maintain confidentiality of the financial infor- 55 calling a prearranged number, entering their identification 
mation being exchanged between a host (e.g., an issuer, code, and requesting an amount to be sent to their financial 
regulator, merchant or the like) and the financial messaging messaging unit 906. Alternatively, if the business traveler is 
unit, all transactions transmitted or received near an ATM or point of sale terminal, they can initiate a 
(communicated) between the secure financial messaging funds request from the financial messaging unit 906 using 
unit and the host, wireless communication or paging system, 60 any number of input devices such as a touch sensitive input 
ATM, and point of sale terminal should be encrypted. The pad, keyboard, voice recognition device, or the like. In that 
Secure Electronic Transaction protocol (SET) developed by case, the financial messaging unit 906 generates a message 
several major financial entities defines the use of crypto- and contacts a regulator 914 using a local link 924 between 
graphic techniques along with a rule set for effecting secure the message origination unit and at least one of a point of 
electronic financial transactions in a wire-line environment. 65 sale terminal 928 and an ATM 926. The regulator 914 then 
The SET protocol may be easily adapted to accommodate generates the secure financial transaction message that is 
both 1-way and 2-way wireless financial transactions using encapsulated in a standard selective call signalling protocol 
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message and broadcast to the requesting financial messaging 
unit 906. The requesting financial messaging unit 906 
receives the selective call message including a response to 
the message in the form of the secure financial transaction 
message 1702. Preferably, the selective call message is 
broadcast from a wide area selective call signalling system 
so wherever the requesting financial messaging unit 906 is 
located, it will receive the selective call message. After 
decoding the selective call message to recover the secure 
financial transaction message, the requesting financial mes- 
saging unit 906 decrypts a content of the secure financial 
transaction message to reveal instructions representing the 
actual financial transaction. Several forms of the decrypted 
message are possible as defined in the latest SET 
specification, and may comprise the following: a session or 
message cryptographic key, a Diffie-Hellman key 
agreement/exchange component, a digital signature in a 
singular or impressed form, a certificate request, transaction 
instructions such as a unit identification request, a text or 
canned message that should be presented to the user 1704 of 
the requesting financial messaging unit 906 indicating that at 
least one of a confirmation and an authentication of the 
financial transaction associated with the secure financial 
transaction message is requested or designating a action 
required of the user such as entry of a personal identification 
number (PIN)> authentication and confirmation codes, a 
transaction serial or tracking number, or tokens representing 
cash, debit, or credit values. One of ordinary skill in the art 
will readily discern that this list is only exemplary, and other 
components that become necessary based on the transaction 
type are possible. 

Once the secure financial transaction message is 
decrypted, the financial messaging unit 906 selects 1706 at 
least one of the optical, electromagnetic, and acoustic trans- 
ducers 1040 in the message origination unit 1038 to com- 
municate a response to the secure financial transaction 
message. The financial messaging unit 906 then operates to 
contact 1710 the regulator 914 using a local link 924 
between the message origination unit 1038 and at least one 
of the point of sale terminal 928 or ATM 926 to communi- 
cate the response to the secure financial transaction message. 
If the point of sale terminal 928 or ATM 926 is coupled via 
a land-line 910 to the PSTN 912, either these devices or the 
message origination unit 1038 can dial a number 1708 
representing the regulator 914. The number may either be a 
predetermined number that is preferably stored in non- 
volatile secure ROM 1022 or EEPROM 1024 in the financial 
messaging unit 906, or to increase security, a number that is 
received in a secure financial transaction message. If a 
dial-up response is required, the financial messaging unit 
906 should not display the return telephone number received 
in the secure financial transaction message, but instead, 
should display a message such as "CONFIRMATION 
REQUIRED/' thus prompting the user to obtain transaction 
confirmation to gain use of the credit or funds requested or 
funds transferred to the financial messaging unit 906. 
Additionally, depending on the type of financial transaction 
being effected, the regulator 914 may request identification 
of the financial messaging unit 906, a serial number of the 
current transaction, etc., as a confirmation message 1710 
communicated either before of after completion of the 
financial transaction. Once the regulator determines that the 
financial messaging unit 906 is authentic and communica- 
tions therefrom are confirmed and authenticated, the regu- 
lator broadcasts a message to the financial messaging unit 
906 authorizing execution of the requested transaction. In 
this manner, a primarily 1-way wide area communication 
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device such as the financial messaging unit 906, and even a 
2- way wide area communication device can securely con- 
duct primarily wireless financial transactions. 

One of ordinary skill in the art will appreciate that the 
5 preceding discussion regarding the claimed invention in not 
meant to limit the system to a particular transport protocol, 
wireless media, cryptographic scheme, or physical commu- 
nication device. Consequently, the claimed invention and 
other variations made possible by the teachings herein 
10 represent only a few select ways that a secure messaging 
system for communicating financial information can be 
implemented using the unique principles taught in the 
present invention. 

It is in the preceding spirit that we claim the following as 
15 our invention: 

1. A secure financial messaging unit, comprising: 
a wide area radio frequency receiver; 
a selective call decoder coupled to the wide area radio 
frequency receiver; 
20 a financial transaction processor coupled to the selective 
call decoder; 

a main processor coupled to the financial transaction 
processor and the selective call decoder; and 

25 a message origination unit coupled to the main processor, 
the message origination unit operating in at least one of 
a reply and confirmation mode and an originate and 
request mode to effect a wireless financial transaction 
using a local area link. 

30 2. The secure financial messaging unit according to claim 

1 wherein the message origination unit comprises: 

a transducer coupled to the main processor, the transducer 
operating to couple a secure financial transaction mes- 
sage between the secure financial messaging unit and a 
35 regulator using the local area link to effect the wireless 
financial transaction. 

3. The secure financial messaging unit according to claim 

2 wherein the transducer comprises: 

an optical device that communicates information com- 
40 prising the secure financial transaction message in at 
least one of a uni-directional and a bi-directional way 
with the local area link for at least one of initiating the 
wireless financial transaction, authenticating the wire- 
less financial transaction, and confirming completion of 
45 the wireless financial transaction. 

4. The secure financial messaging unit according to claim 

3 wherein the optical device comprises: 

an light detector that detects light in a visible spectrum. 

5. The secure financial messaging unit according to claim 
50 3 wherein the optical device comprises: 

an light detector that detects light in an infrared spectrum. 

6. The secure financial messaging unit according to claim 
3 wherein the optical device comprises: 

5S an light detector that detects light in an ultraviolet spec- 
trum. 

7. The secure financial messaging unit according to claim 
3 wherein the optical device comprises: 

an light detector that detects light in any spectrum. 
60 8. The secure financial messaging unit according to claim 
3 wherein the optical device comprises: 

an light emitting diode that emits light in a visible 
spectrum. 

9. The secure financial messaging unit according to claim 
65 3 wherein the optical device comprises: 

an light emitting diode that emits light in an infrared 
spectrum. 
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10. The secure financial messaging unit according to of initiating the wireless financial transaction, authenticating 
claim 3 wherein the optical device comprises: the wireless financial transaction, and confirming comple- 

an light emitting diode that emits light in an ultraviolet of the wireless financial transaction. 

spectrum ^3* ^ c secure financial messaging unit according to 

11. The secure financial messaging unit according to * claim 2 wherein the local area link comprises an infrared 
claim 3 wherein the optical device comprises: enabled point of sale terminal that is optically coupled to an 

, , j . . j , v u* • optical transducer in the secure financial messaging unit for 

an light emitting diode that emits laser light in any r . . . r A . tt _ % • ■ 

& " & & / communicating information comprising the secure financial 

1 ^ sp f5 rum ' c -i - transaction message in at least one of a uni -directional and 

12. The secure financial messaging unit according to bi _ directoal * ^ the local area link for at least one 

claim 2 wherein the transducer comprises: 0 f initiating the wireless financial transaction, authenticating 

an acoustic device that communicates information com- the financial transaction, and confirming comple- 

prising the secure financial transaction message in at aon of the whcless nnan cial transaction, 

least one of a uni-directional and a bi-directional way ^ ^ secure financial messaging unit according to 

with the local area link for at least one of initiating the 15 daim 2 wherein the ]ocal area i mk comprises an infrared 

wireless financial transaction, authenticating the wire- enab i e d automatic teller machine that is optically coupled to 

less financial transaction, and confirming completion of an Qptical tr^ncer i n the secure financial messaging unit 

the wireless financial transaction. for communicating information comprising the secure finan- 

13. The secure financial messaging unit according to cial tra n Sa ction message in at least one of a uni-directional 
claim 12 wherein the acoustic device comprises: 2Q and a bi _ d i rec tional way with the local area link for at least 

an audio transducer that detects audio energy in an one 0 f initiating the wireless financial transaction, authen- 

ultrasonic spectrum. ticating the wireless financial transaction, and confirming 

14. The secure financial messaging unit according to completion of the wireless financial transaction. 

claim 12 wherein the acoustic device comprises: 25. The secure financial messaging unit according to 

an audio transducer that detects audio energy in an audible 25 claim 2 wherein the local area link comprises an low power 

spectrum. radio frequency enabled point of sale terminal that is mag- 

15. The secure financial messaging unit according to netically coupled to a magnetic transducer in the secure 
claim 12 wherein the acoustic device comprises: financial messaging unit for communicating information 

an audio transducer that emits audio energy in an ultra- comprising the secure financial transaction message in at 

sonic spectrum. 30 * east one °f a uni-directional and a bi-directional way with 

16. The secure financial messaging unit according to the local area link for at least one of initiating the wireless 
claim 12 wherein the acoustic device comprises: financial transaction, authenticating the wireless financial 

an audio transducer that emits audio energy in an audible transaction, and confirming completion of the wireless 

spectrum. financial transaction. 

17. The secure financial messaging unit according to 35 26 TTie secure financial messaging unit according to 
claim 2 wherein the transducer comprises: claim 2 wherein the local area link comprises an low power 

. . . ■ j • ,i a . . nfnmni : nn radio frequency enabled point of sale terminal that is elec- 

an electromagnetic device that communicates information . * . i * ■„ (r _ r x,^ r ■ th „ _ lr ,. 

. . & . „ . , . ■ tncally coupled to an electric transducer in the secure 

comprising the secure financial transaction message in * y • . frtmrjt - „ 

. y A 6 ~ . , .. j- i financial messaging unit for communicatmg information 

at least one of a um-du-ectional and a bi-directional way . a • 1 * f 

, , - t1 , e . #u 40 comprising the secure financial transacUon message in at 

with the local area link for at least one of initiating the f & t j=> 

. . c . l4 *u *• r *u • least one of a uni-directional and a bi-directional way with 

wireless financial transaction, authenticating the wire- .. t - . e ...... J Mla( ,„ 

. r- • i f the local area Imk for at least one of initiating the wireless 

less financial transaction, and confirming completion ot . . . . , .J % - .. 

. tl ~ • i * financial transaction, authenticating the wireless financial 

the wireless financial transaction. . . ' « „ i *u 

~ £ • 1 * j. . transaction, and confirming completion of the wireless 

18. The secure financial messaging unit according to ' . , ' . & r 
. . , . it _ ! . f. j • • 45 financial transaction. 

claim 17 wherein the electromagnetic device comprises: ^ a . , _ •,.„*. r 

to • r • 27. The secure financial messaging unit according to 

a magnetic field transducer that detects information c i a i m 2 wherein the local area link comprises an low power 

broadcast from the local area fink. radio frequency enabled aut0 matic teller machine that is 

19. The secure financial messaging unit according to magne tically coupled to a magnetic transducer in the secure 
claim 17 wherein the electromagnetic device comprises: 5Q financial messaging unit for com municating information 

an electric field transducer that detects information broad- comprising the secure financial transaction message in at 

cast from the local area link. [ eas t 0 ne of a uni-directional and a bi-directional way with 

20. The secure financial messaging unit according to the local area ^ for at least one of initiating the wireless 
claim 17 wherein the electromagnetic device comprises: financial transaction, authenticating the wireless financial 

a magnetic field transducer that broadcasts information to 55 transaction, and confirming completion of the wireless 

the local area link. financial transaction. 

21. The secure financial messaging unit according to 28. The secure financial messaging unit according to 
claim 17 wherein the electromagnetic device comprises: claim 2 wherein the local area link comprises an low power 

an electric field transducer that broadcasts information to radio frequency enabled automatic teller machine that is 

the local area link. 60 electrically coupled to an electric transducer in the secure 

22. The secure financial messaging unit according to financial messaging unit for communicating information 
claim 2 wherein the local area link comprises a conventional comprising the secure financial transaction message in at 
acoustic telephone that is acoustically coupled to an acoustic least one of a uni-directional and a bi-directional way with 
transducer in the secure financial messaging unit for com- the local area link for at least one of initiating the wireless 
municating information comprising the secure financial 65 financial transaction, authenticating the wireless financial 
transaction message in at least one of a uni-directional and transaction, and confirming completion of the wireless 
a bi-directional way with the local area link for at least one financial transaction. 
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29. In a secure financial messaging unit, a method com- 
prising the steps of: 

receiving a selective call message including a secure 
financial transaction message, the selective call mes- 
sage being broadcast from a wide area selective call 
signalling system; 

decoding the selective call message to recover the secure 
financial transaction message; 

decrypting the secure financial transaction message 
recovered from the selective call message; and 

presenting a message indicating that at least one of a 
confirmation and an authentication of a financial trans- 
action associated with the secure financial transaction 
message is requested. 

30. The method according to claim 29 comprising the 
steps of: 

selecting at least one of a optical, an electromagnetic, and 
an acoustic transducer in a message origination unit to 
communicate a response to the secure financial trans- 
action message; and 

contacting a regulator using a local link between the 
message origination unit and at least one of a point of 
sale terminal and an automatic teller machine to com- 
municate the response to the secure financial transac- 
tion message, the regulator being an authority that 
requested the at least one of the confirmation and the 
authentication of the financial transaction associated 
with the secure financial transaction message. 

31. The method according to claim 30 comprising the 
steps of: 

receiving at least one of a transaction authorization and a 
transaction confirmation from the regulator via at least 
one of the wide area selective call signalling system 
and the local link, thereby allowing the secure financial 
messaging unit to complete the financial transaction 
associated with the secure financial transaction mes- 
sage. 

32. The method according to claim 30 comprising the 
steps of: 

identifying the financial transaction associated with the 
secure financial transaction message to the regulator 
before allowing the secure financial messaging unit to 
complete the financial transaction associated with the 
secure financial transaction message. 

33. The method according to claim 30 comprising the 
steps of: 

identifying the secure financial messaging unit to the 
regulator before allowing the secure financial messag- 
ing unit to complete the financial transaction associated 
with the secure financial transaction message. 

34. The method according to claim 30 comprising the 
steps of: 
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identifying the secure financial messaging unit to the 
regulator after allowing the secure financial messaging 
unit to complete the financial transaction associated 
with the secure financial transaction message. 

35. In a secure financial messaging unit, a method com- 
prising the steps of: 

generating a message requesting a financial transaction; 

selecting at least one of a optical, an electromagnetic, and 
an acoustic transducer in a message origination unit to 
communicate the message requesting a financial trans- 
action; 

contacting a regulator using a local link between the 
message origination unit and at least one of a point of 
sale terminal and an automatic teller machine, the 
regulator being an authority that governs the financial 
transaction; 

receiving a selective call message including a response to 
the message, the selective call message being broadcast 
from a wide area selective call signalling system; 

decoding the selective call message to recover a secure 
financial transaction message; 

decrypting the secure financial transaction message 
recovered from the selective call message; and 

presenting a message indicating that at least one of a 
confirmation and an authentication of the financial 
transaction associated with the secure financial trans- 
action message is requested. 

36. The method according to claim 35 comprising the 
steps of: 

receiving at least one of a transaction authorization and a 
transaction confirmation from the regulator via at least 
one of the wide area selective call signalling system 
and the local link, thereby allowing the secure financial 
messaging unit to complete the financial transaction. 

37. The method according to claim 35 comprising the 
steps of: 

identifying the financial transaction to the regulator before 
allowing the secure financial messaging unit to com- 
plete the financial transaction. 

38. The method according to claim 35 comprising the 
steps of: 

identifying the secure financial messaging unit to the 
regulator before allowing the secure financial messag- 
ing unit to complete the financial transaction. 

39. The method according to claim 35 comprising the 
steps of: 

identifying the secure financial messaging unit to the 
regulator after allowing the secure financial messaging 
unit to complete the financial transaction. 
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[57] ABSTRACT 

Each access attempt transmitted to an authentication 



agency causes the agency to produce a request identifier 
unique to that request. The request identifier is transmit- 
ted back to the authentication code generator of the 
user initiating the access attempt, and to an authentica- 
tion code generator in the agency. The agency also 
retrieves a user identifier from a database and sends it to 
its authentication code generator. Both the user's au- 
thentication code generator and the agency's authenti- 
cation code generator independently combine, through 
identical or complementary transformations, the user 
identifier and the request identifier to form a user au- 
thentication code and an agency authentication code. 
The two authentication codes are presented by a com- 
parator, which issues a permit signal only if the compar- 
ison indicates a match between the two authentication 
codes. The permit signal is transmitted to a transaction 
control device to permit the transaction to proceed. 
Since the authentication code is unique to each transac- 
tion attempt, interception of an authentication code will 
not permit an unauthorized user to successfully initiate 
another transaction. As an additional security feature, 
the user of irreversible transformations in the authenti- 
cation code generator would prevent decoding of an 
intercepted authentication code and would not allow an 
unauthorized user to derive the user identifier associ- 
ated with the transaction. As required by a particular 
application, additional levels of security can be 
achieved by using encryption steps in combination with 
the irreversible transformations at selected points in the 
process. 
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TRANSACTION AUTHENTICATION USING A 
CENTRALLY GENE RATED T RANSACTION 
IDENTIFIER 

5 

BACKGROUND OF THE INVENTION 

1. Field of Invention 

This invention authenticates a transaction request in 
order to permit progress of a transaction based on a 
match between an authentication code generated by the 10 
requestor of the transaction and an authentication code 
generated by an authentication agency. 

2. Brief Description of the Prior Art 

Central authentication of remote transactions is an 
important mode of business conduct Remote access to 15 
electronic funds transfer networks must be authenti- 
cated to prevent theft of funds. Access to communica- 
tions systems, such as cellular mobile radio systems, 
must be authenticated to prevent theft of communica- 
tion services. Authentication is also important in gov- 20 
erning electronic access to computer networks and 
interactive television and physical access to secured 
locations. Operators of these kinds of systems have 
developed a number of different techniques for reduc- 
ing the susceptibility of their systems to various forms 25 
of fraud. However, almost all of these techniques can be 
circumvented by sophisticated misusers with enough 
computer resources at their disposal or by dishonest 
employees who can access the systems at various ex- 
posed points to steal access code information. 30 

Many of the authentication techniques use combina- 
tions of passwords and personal identification numbers 
(PINs) to attempt to verify that the user attempting to 
access a network or service is authorized for access. 
Unauthorized access using PINs and passwords im- 35 
properly obtained can be somewhat reduced by requir- 
ing users to periodically change these codes. A personal 
identification system disclosed in U.S. Pat. No. 
4,376,279 uses a PIN secretly selected by the user, a 
code number secretly selected by officers of the authen- 40 
ticating agency and an irreversible transform secretly 
selected by the manufacturer of the system to produce a 
code number that is magnetically encoded onto a user 
card, such as a credit card or banking access card. Since 
only the user knows the selected PIN, the user's entry 45 
of that PIN, after inserting the card into the system 
presumably establishes that authority of that user to 
access the system. However, even though the system is 
partitioned to protect different portions of the access 
code information, changing access codes is cumber- 50 
some, so that the same information is used over and 
over again. An eavesdropper or other person that can 
obtain access to the transaction data, and with enough 
computer power may, over time, accumulate enough 
information to learn the access code and gain unautho- 55 
rized entry. 

Theft of telecommunication services through eaves- 
dropping on cellular mobile radio calls has become a 
major problem. The eavesdropper captures or derives 
the caller's access code, builds it into his radio unit, and 60 
makes subsequent unauthorized calls billed to the origi- 
nal caller. A long period of time could go by before this 
misuse is discovered and the access code changed. 
Hackers seeking access to telecommunication and com- 
puter networks program their computers to try thou- 65 
sands of access codes in an attempt to find one that 
works. Once a successful code is found, the hacker can 
gain network access. Similar problems will exist for 



529 
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emerging interactive television services, such as enter- 
tainment and home shopping. Authentication tech- 
niques that use repeatedly transmitted access codes are 
susceptible to various sophisticated attacks. Some tech- 
nique is needed to keep the attackers off balance. 

SUMMARY OF THE INVENTION 

The transaction authentication method that is the 
subject of the present invention uses a centrally gener- 
ated identifier that is specific to each transaction request 
to assure that the access information being transmitted 
from point to point in the system is different for each 
transaction attempt. In this transaction authorization 
process and apparatus, each access attempt transmitted 
to an authentication agency causes the agency to pro- 
duce a request identifier unique to that request. The 
request identifier is transmitted back to the authentica- 
tion code generator of the user initiating the access 
attempt, and to an authentication code generator in the 
agency. The agency also retrieves a user identifier from 
a database and sends it to its authentication code genera- 
tor. Both the user's authentication code generator and 
the agency's authentication code generator indepen- 
dently combine, through identical or complementary 
transformations, the user identifier and the request iden- 
tifier to form a user authentication code and an agency 
authentication code. The two authentication codes are 
presented to a comparator, which issues a permit signal 
only if the comparison indicates a match between the 
two authentication codes. The permit signal is transmit- 
ted to a transaction control device to permit the transac- 
tion to proceed. Since the authentication code is unique 
to each transaction attempt, interception of an authenti- 
cation code will not permit an unauthorized user to 
successfully initiate another transaction. As an addi- 
tional security feature, the use of an irreversible trans- 
formation in the authentication code generator would 
prevent decoding of an intercepted authentication code 
and would not allow an unauthorized user to derive the 
user identifier associated with the transaction. As re- 
quired by the particular application, additional levels of 
security can be achieved by using encryption steps (re- 
versible) in combination with the irreversible transfor- 
mations at selected points in the process. 

This invention produces a flexible transaction authen- 
tication architecture that can be used to meet the secu- 
rity needs of a diversity of transactions, such as autho- 
rizing a call to a remote access port of a telecommunica- 
tion network or a cellular mobile radio call to access the 
network, allowing remote access to a computer net- 
work, identifying a user as an authorized electronic 
funds transfer agent or legitimate user of interactive 
television services, and permitting physical access to a 
secured location. Each of these transactions has differ- 
ent points of vulnerability to eavesdropping from the 
outside or compromise by dishonest insiders. The in- 
ventive architecture permits use of transformation and- 
/or encryption of the authentication information at 
different points in the system dependent on an analysis 
of the particular application's vulnerabilities. In any 
event, the authentication information will be different 
for each transaction attempt, greatly impeding or en- 
tirely foiling efforts to successfully complete an unau- 
thorized transaction. 

With modern integrated circuit technology, the 
transformation involved can be economically realized 
in a microprocessor or special purpose VLSI chip. This 
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architecture gives the authorized user an economic 
advantage over the intended intruder. Since the authen- 
tication code changes in a virtually unpredictable way, 
an eavesdropper or intruder, collecting large amounts 
of data and applying much computer power, would find 5 
it practically impossible to determine a usable authenti- 
cation code. However, the subject system compares 
authentication codes in their transformed or encrypted 
state without requiring inversion or decryption, which 
greatly simplifies the required equipment. The organi- 10 
zation and operation of lie invention can be better un- 
derstood from consideration of the following detailed 
description of illustrative embodiments when read to- 
gether with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 15 

FIG. 1 depicts a transaction authentication system of 
the invention. 

FIG. 2 depicts a transaction authentication system of 
the invention in which the transaction is the transmis- 20 
sion of information through a primary transmission 
path. 

FIG. 3 depicts a system as depicted in FIG. 1 in 
which the second transmitter transforms the request 
identifier together with the second user identifier. 25 

FIG. 4 depicts a system as depicted in FIG. 1 in 
which the comparator is associated with the transmis- 
sion controller. 

FIG. 5 depicts a transaction authentication method of 
the invention. 30 

FIG. 6 depicts a system as depicted in FIG. 2 includ- 
ing means to encrypt the authentication codes. 



DETAILED DESCRIPTION OF THE 
INVENTION 



35 



The following detailed description and several exem- 
plary embodiments will help convey an understanding 
of the claimed invention. The invention is a method and 
apparatus embodying a system architecture that enables 
a central authentication agency to govern attempts by a 40 
user to initiate a transaction. The kinds of transactions 
to which the invention is applicable include electronic 
access to communication systems, financial systems, 
computer networks, and interactive television and en- 
tertainment systems and physical access to secure loca- 45 
tions. A fundamental principal of the invention is the 
central generation of an identifier that is unique to each 
transaction attempt The identifier could, for example, 
be the time and date of the attempt, it could be a random 
number that is generated in the authentication agency 50 
each time a transaction is attempted or some other iden- 
tifier number or code that is apparently not repeated or 
is not periodic within the time span of the transactions 
being attempted. 

In the inventive architecture, authentication signals 55 
pass through two branches, a user branch and an au- 
thentication agency branch. The authentication signals 
passing through the two branches are then compared 
and a permit signal generated if the comparison is suc- 
cessful. The permit signal is then passed to the appropri- 60 
ate application device to allow the transaction to pro- 
ceed. The application device may be, for example, a 
switch in a telecommunications system, a network ac- 
cess point into a computer or interactive television net- 
work, or a lock into a secured area. 65 

The user attempting to initiate a transaction operates 
an access module which may, for example, be contained 
in a cellular telephone, a computer, an ATM access 



point, or within a lock securing a physical entry point. 
The access module must provide a means for user iden- 
tification. For example, the user identification may be 
entered through an encoded card or key, or through a 
keyboard or keypad. For a cellular telephone, a user 
could insert a magnetically encoded card or other form 
of enabling key that contains a personal identification 
number (PIN). For an ATM or computer, a keyboard 
or key pad could be used to enter the user's personal 
identification information. 

The architecture also includes transformation or en- 
cryption of the access information at various points in 
the two branches. The particular application is analyzed 
for its vulnerability to various forms of eavesdropping 
or interception by outsiders or various forms of inter- 
ception by dishonest employees. This analysis will dic- 
tate the placement of various forms of transformation or 
encryption in the system. The transformations can be 
reversible or irreversible. The placement of the trans- 
formations or encryption steps can be either symmetric 
or asymmetric so long as the total transformation in the 
user branch is the same as the total transformation in the 
authentication agency branch by the time the signals are 
compared. 

One important area of application of the invention is 
the field of telecommunications. In particular, the field 
of wireless communications such as cellular mobile 
radio. In this application, the following sequence of 
events could take place. The user enables the calling 
telephone by use of a telephone enabling key that con- 
tains the PIN identified with the user or with the tele- 
phone set itself. The user then lifts or otherwise acti- 
vates the calling telephone handset to make the call. 
The calling telephone number is automatically sent to 
the central office which is the authentication agency. 
The central office generates a transaction identifier 
unique to that call attempt. The transaction identifier 
could be the date and time of the call attempt. The 
transaction identifier is then transmitted back to the 
user. An authentication code generator within the tele- 
phone combines the transaction identifier and the user's 
PIN to generate an authentication code. The authenti- 
cation code is then transmitted back to the central office 
for comparison. 

Within the central office, the telephone number of the 
calling telephone is routed to a database which looks up 
the associated user's PIN. The PIN and the transaction 
identifier are passed to an authentication code generator 
within the central office to generate an authentication 
code for comparison with the authentication code gen- 
erated in the user's telephone. The comparison is made 
and, if successful, a permit signal is passed into the 
switching system to permit the call to proceed. 

In a wireless communication system such as this, the 
transmission of the authentication code from the calling 
telephone to the central office is a point of particular 
vulnerability. In prior arts systems eavesdroppers, inter- 
cepting the authentication code, could build this code 
into their own telephone set and subsequently make 
unauthorized calls to be billed to the original user. 
However, in the system of the invention, since the au- 
thentication code is different for each call attempt, this 
is not possible. A more sophisticated unauthorized user 
may intercept both the transaction identifier and the 
authentication code and attempt to derive the PIN num- 
ber. To protect against such an unauthorized user, the 
call identifier (e.g., calling telephone number) and PIN 
can be combined by means of an irreversible transform. 
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Analysis of the vulnerabilities of a particular system 
could suggest the use of additional transformations or 
encryption steps at different points in the system. For 
example, in the telephone set the PIN and calling tele- 
phone number could be combined in an initial transfor- 5 
mation step which could be an irreversible transform. 
The irreversible transform of the calling telephone 
number and PIN or an encryption thereof would be 
stored within the central office's user identifier source 
(database) so that even within the central office the PIN 10 
is not available. The transform of the calling telephone 
number and PIN could be transmitted in the clear or 
encrypted between network elements. In this realiza- 
tion of the invention, the PIN is never stored or trans- 
mitted by any of the system's elements. As another 15 
security measure, the authentication codes could be 
encrypted or transformed with PIN (or an encrypted 
PIN), in both branches before the two signals are com- 
pared. 

In all of the above variations, the comparison of two 20 
authentication signals will be successful if the successive 
application of the various transformations in the user 
branch produces the same total transformation as the 
successive application of the transformations on the 
central office side. However, irreversible transforms 25 
and all transforms or encryptions preceding them must 
be identical in both branches. 

In all of these variations the authorized user has an 
advantage over the unauthorized user seeking to deter- 
mine a usable PIN because the system architecture of 30 
the invention never requires application or derivation of 
an inverse transformation or the decryption of the sig- 
nals. All signals are compared in a transformed or en- 
crypted state. This places the unauthorized user in a 
very disadvantageous position and further protects the 35 
user's PIN number from being determined. All of the 
required transformation and encryption steps within the 
telephone set can be accomplished within a single mi- 
croprocessor chip. 

Another important application of the invention is in 40 
connection with access to automatic teller machines. In 
such machines the user inserts a magnetically encoded 
card and then manually enters a PIN number. This type 
of system is susceptible to interception of the PIN num- 
ber as it is transmitted to the banking institution's cen- 45 
tral computer. Application of the invention would pre- 
vent an intercepted PIN number from being used subse- 
quently to make unauthorized transactions, since the 
authorization code is different for each transaction. The 
use of an irreversible transform within the ATM access 50 
module would prevent a more sophisticated intruder 
from analyzing the transmitted signal to determine the 
user's PIN even if the intruder knew both the request 
identifier and the transform involved. Other financial 
transactions that could be similarly protected are 55 
money wire transfers and the presentation of personal 
credit cards. 

In addition to controlling electronic access to various 
financial systems, the invented method and apparatus 
could be used to protect physical access to a secured 60 
location. In this case the permit signal, instead of con- 
trolling electrical access to a system, would control a 
physical lock. 

FIG. 1 shows an exemplary device of the invention 
including an information generator 1 an authentication 65 
agency 2, and a transaction device 3. Within the infor- 
mation generator 1, a requesting means 4 transmits a 
transaction request to the authentication agency 2 to- 



gether with information identifying the information 
generator. A first user identifier source 5 transmits the 
user identifier such as the user's FIN, to the first authen- 
tication code generator 6. The request is received by the 
request identifier generator 7 and the information iden- 
tifying the information generator 1 is received by the 
second user identifier source 8. The request identifier 
generator 7 produces a request identifier unique to that 
particular transaction request and passes it to the first 
authentication code generator 6 and the second authen- 
tication code generator 9. The second user identifier 
source 8 obtains the user's PIN and passes it to the 
second authentication code generator 9. The first au- 
thentication code generator 6 and the second authenti- 
cation code generator 9 produce first and second au- 
thentication codes and pass them to a comparator 10 for 
comparison. 

A successful comparison of the two authentication 
codes will result in generation of a permit signal which 
is then passed to the transaction controller 11. The 
transaction controller 11 will then permit the informa- 
tion from the information source 12 to complete the 
transaction that is being attempted whether it be the 
electrical access to another system or physical access to 
a security area. For transactions involving independent 
information generation, the requesting means 16 and 
first authentication code generator 19 would form the 
nucleus of a transaction access module. 

FIG. 2 shows an exemplary device of the invention in 
which the transaction involved is the transmission of 
information from an information generator 13 through a 
primary transmission path 15 to a communication termi- 
nal outside of the system. The transmission through the 
primary transmission path 15 is controlled by an authen- 
tication agency 14. The information generator includes 
a requesting means 16 which may have a key port 17. 
The requesting mean presents the transmission request 
to the authentication agency 14. The information gener- 
ator 13 also includes a first user identifier source 18 
which transmits the first user identifier to a first authen- 
tication code generator 19 through a first user identifier 
access port 20. In the authentication agency 14 the 
transmission request is presented to a request identifier 
generator 21 which generates a request identifier unique 
to that particular request. In a telecommunication sys- 
tem, the request identifier could be the time and date of 
the request, information which is readily available 
within a central office, or it could be a random number 
or pseudo random number generated by any one of the 
random number generators known in the art The re- 
quest identifier is transmitted by a second transmitter 29 
to the first authentication code generator 19 through the 
first request identifier access port 23 and to a second 
authentication code generator 24 through a second 
request identifier access port 25. 

In the authentication agency 14 the transmission re- 
quest, which also contains information identifying the 
information generator 13, is transmitted to a second user 
identifier source 26 through a second transmission re- 
quest access port 27. The second user identifier source 
26 accesses its database to determine the user identifier 
corresponding to the information generator 13 and 
transmits it through a third transmitter 28 to the second 
authentication code generator 24 through the second 
user identifier access port 31. 

The first authentication code generator 19 includes a 
first transformer for transforming the first user identifier 
and the first request identifier to produce a first authen- 
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tication code. The transformation produced by the 
transformer is advantageously an irreversible transform. 
However, some applications with lesser privacy re- 
quirements may use a reversible transform. The second 
authentication code generator 24 includes a second 5 
transformer for transforming the second request identi- 
fier together with the second user identifier to produce 
a second authentication code. The first authentication 
code is transmitted by means of a first transmitter 30 to 
a comparator 35 through a first authentication code 10 
access port 33. The second authentication code is trans- 
mitted by means of a fourth transmitter 32 to the com- 
parator 35 through a second authentication code access 
port 34. The comparator includes a comparing means 
for comparing the first and second authentication codes. 15 
If the comparison is successful a permit signal is gener- 
ated in the comparator 35 and transmitted by means of 
fifth transmitter 36 to a transmission controller 37 
through a permit signal access port 38. The transmission 
controller 37 then permits the transmission of informa- 20 
tion from the information source 39 within the informa- 
tion generator 13 through the primary transmission path 
15. 

The first authentication code generator 19 may con- 
tain the first encryption means for encrypting the first 25 
user identifier. In this case the second user identifier 
source 26 must either store the user identifiers in en- 
crypted form or must contain a second encryption 
means for encrypting the second user identifier when it 
is accessed. If the user identifiers are employed in en- 30 
crypted form, then successive application of the first 
encryption means and the first transform must produce 
a total transformation which is identical to successive 
application of the second encryption means and the 
second transformer. This can be accomplished either by 35 
making the two encryptions identical and the two trans- 
formations identical or by making the encryptions and 
transformations different from one another such that 
the successive application of the two is identical in the 
two branches of the system. 40 

Depending upon an analysis of the vulnerabilities of 
the particular system, the comparator 35 may include 
transformers at the first authentication code access port 
33 and the second authentication code access port 34. 
These transformers may produce identical transforma- 45 
tions or transformations that ultimately produce identi- 
cal total transformations, as explained above. 

FIG. 3 shows a device of the invention in which the 
vulnerability analysis has indicated the advisability of 
transmitting the request identifier as a transform. In this 50 
case the third transmitter 42 is also adapted for transmit- 
ting the second user identifier to the second transmitter 
43 and the second transmitter 43 includes a third trans- 
former for transforming the request identifier together 
with the second user identifier. 55 

FIG. 4 shows an exemplary device of the invention in 
which the comparator 45 is associated with the transac- 
tion device 47. This would be the case for example, if a 
commercial entity went into the business of being an 
authentication agency and offered authentication ser- 60 
vices to different entities that controlled the transaction 
controller 44. 

FIG. 5 illustrates the steps in the inventive process. 
Either simultaneously or in the following sequence; a 
transaction is requested 48, a first user identifier is intro- 65 
duced 49, and information is transmitted 50. The trans- 
action request results in generation of a request identi- 
fier 51 and database access of a second user identifier 52. 



The request identifier and the first user identifier are 
used to generate the first authentication code 53 and the 
second user identifier and request identifier generate a 
second authentication code 54. The first authentication 
code and second authentication code are compared and 
if the comparison is successful the transaction is autho- 
rized 55. The authorization produces control of the 
transaction 56. 

FIG. 6 illustrates another level of security La which 
the information generator 57 includes a third transfor- 
mation/encryption means 58 for combining the first 
authentication code and the first user identifier. In addi- 
tion, the authentication agency 59 includes a fourth 
transformation/encryption means 60 for combining the 
second authentication code and the second user identi- 
fier. The comparator 61 includes a fifth encryption 
means at the first authentication code access port 62 and 
a sixth encryption means at the second authentication 
code access port 63. Successive application of the first 
encryption means and the first transformer within the 
first authentication code generator 64, the third encryp- 
tion means 58 and the fifth encryption means at the first 
authentication code access port 62 produces an identical 
transformation to the successive application of the sec- 
ond encryption means within the second user identifier 
source 65, the second transformer within the second 
authentication code generator 66, the fourth encryption 
means 60 and the sixth encryption means within the 
comparator at the second authentication code access 
port 63. 

What is claimed: 

1. In an information transmission system comprising 
an authentication agency, a primary transmission path, a 
switch in the primary transmission path, and an infor- 
mation generator with a station identifier, an authentica- 
tion method comprising the steps of: 

introducing a first user identifier from a first user 
identifier source into a first authentication code 
generator within the information generator; 

transmitting a transmission request from the informa- 
tion generator to the authentication agency; 

transmitting the station identifier from the informa- 
tion generator to the authentication agency; access- 
ing a record in a second user identifier source of the 
user identifier corresponding to the station identi- 
fier in response to the transmission request; 

forwarding the second user identifier from the second 
user identifier source to a second authentication 
code generator within the authentication agency; 

generating a request identifier in a request identifier 
generator, in response to the transmission request; 

transmitting the request identifier from the request 
identifier generator to the first and second authenti- 
cation code generators; 

generating a first authentication code in the first au- 
thentication code generator and a second authenti- 
cation code in the second authentication code gen- 
erator in response to the request identifier and the 
first and second user identifiers; 

transmitting the first and second authentication codes 
to a comparator; 

comparing the first and second authentication codes 
and generating a permit signal only if the compari- 
son is successful, showing that the first user identi- 
fier and the request identifier have experienced the 
same total transformation as the second user identi- 
fier and the request identifier; and 
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transmitting the permit signal to the switch, enabling authentication code generator and to a second au- 

information flow through the primary transmission thentication code generator, 

path, whereby information flow through the pri- a user identifier source comprising a second transmis- 

mary transmission path is permitted only after sue- sion request access port and a third transmitter for 

cessful comparison of the first and second authenti- 5 transmitting a second user identifier to the second 

cation codes. authentication code generator, 

2. A method of claim 1 in which the first authentica- the second authentication code generator comprising 
tion code and the second authentication code are gener- a second request identifier access port, a second 
ated through use of identical irreversible transforms. user identifier access port, a second transformer for 

3. A method of claim 2 including a step of encrypting 10 combining the second request identifier and the 
the user identifier. second user identifier, transmitted to the respective 

4. A method of claim 1 in which the first authentica- access port to produce a second authentication 
tion code and the second authentication code are gener- code, and a fourth transmitter for transmitting the 
ated through use of encryption transforms. second authentication code to a comparator, and 

5. A method of claim 1 in which the request identifier 15 the comparator comprising a first authentication code 
includes the time and date of the transmission request. access port, a second authentication code access 

6. A method of claim 1 in which the request identifier port, a comparing means for comparing the first 
is a number that is not repeated within the time span of authentication code and the second authentication 
the transmission request code, transmitted to the respective access port, and 

7. A method of claim i in which the first authentica- 20 producing a permit signal only if the first authenti- 
tion code and the second authentication code are gener- cation code and the second authentication code, 
ated through use of identical transforms. when compared by the comparing means, are 

8. A method of claim i in which the first authentica- equal, indicating a matching condition between the 
tion code is generated through use of a first transform, first and second authentication codes, and a fifth 
comparison of the first authentication code includes use transmitter for transmitting the permit signal to the 
of a second transform, the second authentication code is primary transmission path; and 

generated through use of a third transform, and com- wherein the primary transmission path comprises a 

parison of the second authentication code includes use transmission controller with a permit signal access port 
of a fourth transform, the transforms being such that 3Q for authorizing transmission when the permit signal is 

successive application of the first and second transform transmitted to the permit signal access port 

is identical to the successive application of the third and 14. A device of claim 13 in which the requesting 

fourth transform. means includes a key port for accepting an enabling key 

9. A method of claim 8 in which the first transform with the first user identifier. 

and the third transform are irreversible transforms, 35 15. A device of claim 14 in which the first authentica- 

10. A method of claim i in which the information tion code generator includes first encryption means for 
generator communicates with the authentication encrypting the first user identifier. 

agency by means of radio transmission. 16. A device of claim 15 in which the user identifier 

11. A method of claim i in which introducing the user source includes a second encryption means for encrypt- 
identifier into the first authentication code generator ^ ing the user identifier. 

includes the step of introducing an enabling key into the 17. A device of claim 16 in which successive applica- 

information generator. tion of the first encryption means and the first trans- 

12. A method of a claim 1 in which transmitting the former produces an identical transformation to succes- 
request identifier includes trarisforming the request sive application of the second encryption means and the 
identifier together with the second user identifier. 45 second transformer. 

13. An authenticating information transmission sys- 18. A device of claim 16 in which the information 
tern comprising an information generator, an authenti- generator further includes a third transfonnation/en- 
cation agency and a primary transmission path, the cryption means for combining the first authentication 
information generator communicating with the authen- code and the first user identifier, the authentication 
tication agency, said agency controlling the primary 50 agency further includes a fourth transformation/en- 
transmission path, wherein the information generator cryption means for combining the second authentica- 
comprises: tion code and the second user identifier, the comparator 

requesting means for presenting a transmission re- includes a fifth encryption means at the first authentica- 

quest to the authentication agency; tion code access port and a sixth encryption means at 

a first authentication code generator comprising a 55 the second authentication code access port, wherein 

first user identifier access port, a first request iden- successive application of the first encryption means, the 

tifier access port, a first transformer for ccimbining first transformer, the third transformation/encryption 

a first user identifier and a first request identifier means and the fifth encryption means produces an iden- 

transmitted to the respective access port to pro- tical transformation to the successive application of the 

duce a first authentication code, and a first trans- 60 second encryption means, the second transformer, the 

mitter for transmitting the first authentication code fourth transformation/encryption means and the sixth 

to the authentication agency; and encryption means. 

an information source for introducing information 19. A device of claim 13 in which the first trans- 

into the primary transmission path, former and the second transformer produce the same 

wherein the authentication agency comprises: 65 irreversible transform. 

a request identifier generator comprising a first trans- 20. A device of claim 13 in which the first trans- 
mission request access port and a second transmit- former and the second transformer produce reversible 
ter for transmitting the request identifier to the first encryption transforms. 
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21. A device of claim 13 in which the request identi- 
fier generator transmits a request identifier including 
the time and date of the transmission request. 

22. A device of claim 13 in which the request identi- 
fier generator transmits a request identifier that is not 5 
repeated within the time span of the transmission re- 
quest. 

23. A device of claim 13 in which the third transmit- 
ter is also adapted for transmitting the second user iden- 
tifier to the second transmitter and the second transmit- 10 
ter includes a third transformer for trarisforming the 
request identifier together with the second user identi- 
fier. 

24. A transaction request authentication process com- 
prising the steps of: 15 

introducing a first user identifier into a first authenti- 
cation code generator, within a user device; 

transmitting a transaction request to an authentication 
agency; 

in the authentication agency, generating a request 
identifier and a second user identifier in response to 
the transaction request; 

transmitting the request identifier to the first authenti- 
cation code generator and to a second authentica- 
tion code generator, within the authentication 
agency; 

transmitting the second user identifier to the second 
authentication code generator, 

generating a first authentication code in response to 3Q 
the first user identifier and the request identifier 
and a second authentication code in response to the 
second user identifier and the request identifier; 

transmitting the first authentication code and the 
second authentication code to a comparator, 35 
within the authentication agency; 

generating a permit signal in the comparator in re- 
sponse to the first and second authentication codes; 
and 

transmitting the permit signal to a transaction device, 40 
thereby authorizing a transaction to proceed. 

25. A method of claim 24 including the step of en- 
crypting the first user identifier and the second user 
identifier. 

26. A method of claim 24 in which the first authenti- 45 
cation code and the second authentication code are 
generated using an irreversible transform. 

27. A method of claim 24 in which the request identi- 
fier includes the time and date of the transaction re- 
quest. 50 

28. A method of claim 24 in which the request identi- 
fier is a number that is not repeated within the time span 
of the transmission request 

29. A method of claim 24 in which the first and sec- 
ond authentication codes are generated using an en- 55 
cryption transform. 

30. A method of claim 24 including the steps of en- 
crypting the first and second authentication codes. 

31. A method of claim 24 including transforming the 
request identifier together with the second user identi- 60 
fier, 

32. A transaction request authentication process com- 
prising the steps of: 

introducing a first user identifier into a first authenti- 
cation code generator, within a user device; 65 

generating a request identifier in the user device; 
transmitting a transaction request and the request 
identifier to an authentication agency; 



in the authentication agency, generating a second 
user identifier in response to the transaction re- 
quest; 

transmitting the request identifier to the first authenti- 
cation code generator and to a second authentica- 
tion code generator, within the authentication 
agency; 

transmitting the second user identifier to the second 
authentication code generator; 

generating a first authentication code in response to 
the first user identifier and the request identifier 
and a second authentication code in response to the 
second user identifier and the request identifier; 

transmitting the first authentication code and the 
second authentication code to a comparator, 
within the authentication agency; 

generating a permit signal in the comparator in re- 
sponse to the first and second authentication codes; 
and 

transmitting the permit signal to a transaction device, 
thereby authorizing a transaction to proceed. 

33. A transaction request authentication process com- 
prising the steps of: 

in an authentication agency, generating a request 
identifier and a user identifier in response to a trans- 
action request from a user; 

transmitting the request identifier to the user and to 
an authentication code generator; 

transmitting the user identifier to the authentication 
code generator; 

generating a first authentication code in the authenti- 
cation code generator in response to the request 
identifier and the user identifier; 

transmitting the first authentication code to a com- 
parator; receiving into the comparator a second 
authentication code produced by the user in re- 
sponse to the request identifier; 

generating a permit signal in the comparator in re- 
sponse to the first authentication code and the sec- 
ond authentication code; and transmitting the per- 
mit signal to a transaction device, thereby authoriz- 
ing a transaction to proceed. 

34. An information generator for use in an authenti- 
cating information transmission system comprising; 

requesting means for presenting a transmission re- 
quest to an authentication agency; 

a first authentication code generator comprising a 
first user identifier access port, a first request iden- 
tifier access port, a first transformer for combining 
a first user identifier and a first request identifier 
transmitted to the respective access port to pro- 
duce a first authentication code, and a first trans- 
mitter for transmitting the first authentication code 
to the authentication agency; and 

an information source for introducing information 
into the primary transmission path. 

35. A device of claim 34 in which the first trans- 
former is adapted for producing an irreversible trans- 
form. 

36. An authentication agency for use in an authenti- 
cating transaction system comprising: 

A request identifier generator comprising a first 
transaction request access port and a second trans- 
mitter for transmitting the request identifier to the 
first authentication code generator and to a second 
authentication code generator; 

a user identifier source comprising a second transac- 
tion request access port, a third transaction request 
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access port and a third transmitter for transmitting 
the second user identifier to the second authentica- 
tion code generator; 

the second authentication code generator comprising 
a second request identifier access port, a second 5 
user identifier access port, a second transformer for 
combining the second request identifier and the 
second user identifier, transmitted to the respective 
access port to produce a second authentication 
code, and a fourth transmitter for transmitting the 10 
second authentication code to a comparator; and 

the comparator comprising a first authentication code 
access port, a second authentication code access 
port, a comparing means for comparing the first 
authentication code and the second authentication 15 
code, transmitted to the respective access port, and 
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14 

producing a permit signal in response to the first 
and second authentication codes, and a fifth trans- 
mitter for transmitting the permit signal to the 
primary transaction path for authorizing the trans- 
action to proceed. 
37. A transaction access module for use in a authenti- 
cating transaction system comprising: requesting means 
for presenting a transaction request to an authentication 
agency; and a first authentication code generator com- 
prising a first user identifier access port, a first request 
identifier access port, a first transformer for combining 
a first user identifier and a first request identifier to 
produce a first authentication code, and a first transmit- 
ter for transmitting the first authentication code to the 
authentication agency. 
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[57] ABSTRACT 

Disclosed is a multifunction card system which provides a 
multifunction card capable of serving as a prepaid phone 
card, a debit card, a loyalty card, and a medical information 
card. Each card has an identification number comprising a 
bank identification number which assists in establishing 
communications links. The card system can be accessed 
from any existing point-of-sale (POS) device. The POS 
device treats the card as a credit or debit card and routes 
transaction data to a processing hub using the banking 
system. The processing hub coordinates the various data- 
bases corresponding to the various functions of the card. 
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MULTIFUNCTION CARD SYSTEM 
FIELD OF THE INVENTION 

The present invention relates generally to debit card 
systems, both bank-issued and non-bank-issued, and more 5 
particularly to a multifunction card system that can be 
accessed by a variety of standard point-of-sale devices, by 
phone, by fax, or over the Internet. 

BACKGROUND OF THE INVENTION 

I. Debit Cards 10 
Banking institutions often issue debit cards to their cus- 
tomers to give them access to funds from their savings or 
checking accounts. Such a debit card might be an on-line 
debit card or an off-line debit card. On-line debit cards, often 
referred to as automatic teller machine (ATM) cards, require 15 
a personal identification number (PIN) to be entered into an 
ATM or point-of-sale (POS) device in order to authorize the 
transaction. Once completed, the transaction clears the bank 
account immediately. Off-line debit cards function like 
credit cards, and usually carry the VISA® or MasterCard® 20 
logo. A retailer processes the card like a credit card and the 
customer signs a receipt. The funds then clear the bank 
account in one to three days. 

While such debit cards are extremely useful and provide 
convenience for bank depositors, they generally do not serve 25 
a plurality of functions. Therefore, there is a need in the art 
for a debit/credit card capable of performing a plurality of 
functions, such as an electronic gift certificate card, a 
prepaid phone card, and a loyalty card, all in a real-time 
secure environment. There is also a need in the art for a 30 
system which can provide a card substitute for travelers 
checks and money orders which can be accepted by any POS 
device or ATM for financial transactions. Further, there is a 
need for a processing center which can manage such a 
multifunction card system. 35 

II. Prepaid Phone Cards 

Prepaid card systems are used by the telephone industry 
to allow customers to prepurchase long distance calling 
time. Such cards are typically purchased in predefined value 
increments. The card provides the customer with an amount 40 
of long distance calling time equivalent to the predefined 
value increment. 

Each of the cards has an identification number printed or 
magnetically stored on it. The identification number is also 
stored in a record in a database maintained by the card issuer. 45 
This record also stores the predefined value of the card. 
When the cards are sent to the retail location from which 
they will be sold, the corresponding records in the database 
are activated, thus allowing the card to be used immediately 
by a customer. To use the card, the customer dials a toll free 50 
number to access the card issuer's system, enters the iden- 
tification number, and then makes the desired long-distance 
call. During the call, the value of the card in the database is 
decremented accordingly. When the value of the card is 
exhausted, the call terminates. If the customer ends the call 55 
before the value of the card is exhausted, the remaining 
value may be used for additional calls. Once the entire value 
of the card has been used, it is discarded. 

These prior art prepaid phone card systems have several 
disadvantages. First, since the cards are active while on the 60 
shelf in the retail location, they may be stolen by a thief and 
easily used. Second, the prior art systems do not allow the 
customer to purchase a card having any given value, nor do 
they allow the customer to recharge the value of the cards 
once the are depleted. 65 

One way to address some of the drawbacks of prior art 
prepaid phone card systems would be to install activation 



terminals unique to the prepaid card issuer. This is referred 
to as a "closed system." U.S. Pat. No, 5,577,109 to Stimson 
et al. discloses such a closed system. In the Stimson system, 
the cards are not preactivated. Each of the retail locations 
from which cards are to be sold is provided with a dedicated 
activation terminal which allows the retail operator to set the 
value of the card at the time of the sale. The activation 
terminal connects to the card issuer's system to pass along 
the value amount and to request activation of the card. 
Depleted cards can be recharged in the same manner as they 
are sold. A serious disadvantage of the Stimson system is 
that it requires single-function dedicated hardware to be 
installed in each retail location, resulting in a very inflexible 
and expensive system. 

Thus, there is a need in the art for a prepaid phone card 
activating system which is easily and inexpensively 
deployed, and which allows cards to be purchased in varying 
amounts and to be recharged without requiring the use of a 
closed system to handle the transactions. 

III. Loyalty Cards 

Loyalty cards are used to reward consumers for purchas- 
ing goods or services. For instance, airlines commonly 
reward frequent fliers with points for each mile flown with 
that airline. When the consumer accumulates a certain 
number of points, he or she is rewarded with free or 
discounted air fare. In this and other similar systems, the 
loyalty card issuer directly participates in the sale transac- 
tion. Such systems, however, do not allow a manufacturer of 
a product which is sold by an unrelated retailer to immedi- 
ately reward the ultimate purchaser of the product with 
loyalty points. Since the manufacturer does not know of the 
ultimate sale until much later, if ever, it is difficult for such 
a manufacturer to conduct a loyalty program. Thus, there is 
presently no method for creating a product-specific loyalty 
card as opposed to a retailer-specific card. Nor is there a 
system for communicating loyalty data to databases not 
located at the retail establishment. 

Furthermore, prior art loyalty programs generally do not 
credit the consumer's loyalty account in real-time as a 
purchase transaction takes place. Therefore, the consumer is 
unable to enjoy the benefits of their added loyalty points 
immediately. Finally, prior art loyalty programs commonly 
require significant startup efforts and expenses before the 
system is operational. Therefore, there is a need in the art for 
a real-time loyalty card system which is easily deployed, and 
which is capable of providing a product-specific loyalty card 
as well as a retailer-specific card. There is also a need for a 
system which can reward customers automatically for their 
loyalty and communicate this loyalty reward to databases 
other than at a retail location. 

IV. Information Retrieval 

Often, it is important to access certain types of informa- 
tion in a very fast and convenient manner. For example, a 
person's medical history can be extremely important in 
assessing the propriety of certain medical procedures during 
a medical emergency. Presently, in order to obtain a patient's 
medical history, the patient or his or her doctor must request 
the appropriate files from the patient's previous doctor(s). It 
often takes a number of days to receive the requested 
information. In a medical emergency, this delay is often far 
too long. Thus, there is a need for patients to have control 
over their own medical history data. Further, there is a need 
for this data to be instantly available to the patient, or the 
patient's doctor if the patient is incapacitated. 

V. Multifunction Card 

Due to the proliferation of various types of cards (e.g., 
credit/debit, long-distance calling, loyalty, etc.) over the last 
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couple of decades, it has become increasingly difficult to sidered in conjunction with the following drawings wherein 

keep track of each individual card. There is a need for a card like reference numbers denote the same or similar portions 

system which can serve a number of functions, thus allowing or processes shown throughout the several Figures, in 

the consumer to have one card which may act as their card which: 

for financial transactions, long-distance telephone calls, loy- 5 fig. 1 is a block diagram of the multifunction card system 

ally information, and medical information. of the present invention; and 

SUMMARY OF THE INVENTION PIG. 2 is block diagram demonstrating the various ways 

„ , t , , • , j in which a retail point-of-sale device might connect to the 

The present invention solves the problems associated with multifunction card tem of the resent invendon . 

prior art card systems by providing an improved multiiunc- io 

tion card system. The multifunction card system comprises DETAILED DESCRIPTION OF THE 
at least one electronic gift certificate card having a unique INVENTION 
identification number encoded on it, the identification num- 
ber comprising a bank identification number corresponding The present invention is a multifunction card system 
to the multifunction card system; means for receiving elec- 15 which allows for the activation of prepaid phone cards and 
tronic gift certificate card activation data from an existing the use of Electronic Gift Certificate™ cards, loyalty cards, 
standard retail poiot-of-sale device when the electronic gift debit cards, and medical information cards. Further, the 
certificate card is swiped through the point-of-sale device, system provides for the immediate linkage of these various 
the electronic gift certificate card activation data comprising functions. FIG. 1 illustrates the multifunction card system 
the unique identification number of the electronic gift cer- 2 o 108 of lhe P resent invention. The system 108 comprises a 
tificate card and an electronic gift certificate activation plurality of cards 101, a sponsor bank processor 102, and a 
amount; means for activating an account corresponding to processing hub 103, which serves as the nerve center of the 
the electronic gift certificate card with a value equal to the system 108. If the system 108 is to provide prepaid phone 
electronic gift certificate activation amount; and means for cards, it will also include a prepaid phone card issuer hub 
allowing a user of the electronic gift certificate card to 2 5 104 maintained by a prepaid phone card issuer. In order to 
purchase goods having a value up to the electronic gift achieve the desired functionality, the system 108 uses exist- 
certificate activation amount. ing banking networks in a unique and novel way to gain 
The multifunction card system further comprises at least * * rt ^ y ? C ™^L ^ f^^f <?° S > 
one phone card having a unique identification number ^vices 105. ^^^/^ P ° S 
encoded on it, the identification number comprising a bank 30 taming cash registers with POS interfacing, computers 
identification number corresponding to the multifunction with POS interfacing and other similar devices which can 
card system; means for receiving phone card activation data be used to access the banking system. As used herein POS 
from an existing standard retail point-of-sale device when device includes all such devices, whether data entry is 
the phone card is swiped through the point-of-sale device, effected b X ™P»8 a card thr0 ^ the device or b * manual 
the phone card activation data comprising the unique iden- 35 entrv * 

tification number of the phone card and a phone card To access these POS devices, the operator of the system 

activation amount; means for activating an account corre- 108 must apply for and obtain a Bank Identification Number 

spending to the phone card with a value equal to the phone (BIN) from the American Banking Association. The BIN 

card activation amount; and means for allowing a user of the serves as a unique identifier of the multifunction card system 

phone card to obtain long distance telephone calling time 40 108 within the banking network. The BIN is encoded on a 

having a value up to the phone card activation amount. magnetic strip 106 on each card 101 in the system 108 as a 

In a preferred embodiment, the multifunction card system P«* of card's identification number. Alternatively or 

further comprises at least one loyalty card having a unique additionally, the BIN and idenUfication number could be 

identification number encoded on it, the identification num- ™*>™ » a °ode, on thc on the card 

ber comprising a bank identification number corresponding 45 101 in numerals for manual entry, or provided by any other 

to the multifunction card system; means for receiving loy- mcans known m me art ( t 

alty data from an existing standard retail point-of-sale device Preferably, the BIN's first digit will be the same number 

when the loyalty card is swiped through the point-of-sale as the first BIN digit used by a popular card issuer. This is 

device, the loyalty data comprising the unique identification because POS devices are preprogrammed to recognize only 

number of the loyalty card and a purchase amount; and 50 certain types of cards, such as those issued by VISA® and 

means for crediting an account corresponding to the loyalty MasterCard®, American Express®, etc. As a rule, these POS 

card with a number of loyalty points proportional to the devices must be reprogrammed before they will accept a 

purchase amount new { yp c °^ card - However, since POS devices already 

Optionally, the multifunction card system of the present recognize cards issued by these popular card issuers a new 

invention may also comprise at least one medical informa- 55 type of card will also be recognized by such devices if it has 

tion card having a unique identification number associated a BIN that begins with the same number used by one of the 

with it, the medical information card belonging to a patient; P°P^ ar card Since VISA® and MasterCard® are 

a database comprising at least one record corresponding to most universally accepted cards, the BIN of the multi- 

the medical information card, the record containing medical function card system 108 of the present invenUon preferably 

history information about the patient; and means for allow- «o will begin with the same number used by either VISA® or 

ing an authorized requester to obtain the medical history MasterCard® (i.e., "4" "or "5", respectively). By using one of 

information about the patient using the unique identification these numbers, the card 101 will be recognized by almost all 

number associated with the medical information card. listing POS devices 105 as a debit or credit card and its 

transactions will be automatically routed by the banking 

BRIEF DESCRIPTION OF THE DRAWINGS 65 S y ste m to the correct destination. This occurs regardless of 

The present invention will be more fully understood by the type of POS device 105 used, since all such devices are 

reference to the following detailed description when con- designed to interface with the banking network. Although 



05/14/2004, EAST Version: 1.4.1 



6,000,608 



the BIN number will preferably begin with a "4" or "5", it 
may begin with any number that is recognized by POS 
devices 105. 

The operator of the system 108 should also have a 
sponsoring bank whose bank processor 102 will serve as the s 
link between the processing hub 103 and the banking 
network. Alternatively, the operator of the system 108 could 
itself be a banking institution. 

By providing a means for any given POS device 105 to 
connect to the processing hub 103, the system 108 allows a 10 
retailer to remotely activate or add value or loyalty data to 
a system card. The method by which this occurs is set forth 
more fully below in the context of the various functions of 
the card. 

I. Prepaid Phone Card 15 

A plurality of long distance service providers may con- 
tract with the operator of the multifunction card system 108 
to issue prepaid phone cards 101 for use in the system 108. 
Alternatively, a long distance service provider may itself be 
the operator of the system 108. The long distance service 20 
provider will be referred to as a phone card issuer. A phone 
card issuer provides prepaid phone cards 101 to retailers 
who sell the cards 101 at their retail locations. Until 
activated, the cards 101 have no intrinsic value associated 
with them. Therefore, they may be placed on store shelves 25 
in easily accessible areas without the fear of losses due to 
theft. When a customer wishes to purchase or recharge one 
of the cards 101, he or she informs the sales clerk of the 
monetary amount desired. Depending upon the system cho- 
sen by the particular phone card issuer, this amount may be 30 
one of a finite number of predefined amount increments, or 
may be selected by the customer. The clerk swipes the card 
101 through the POS device 105. Depending upon the 
amount of customization that has occurred at the retailer's 
location, there are a number of ways in which the POS 35 
device 105 may connect to the system's 108 processing hub 
103 to carry out the transaction. FIG. 2 illustrates several of 
these methods. 

The first two methods shown in FIG. 2, methods A and B, 
are the most easily deployed, but cost the most on a 40 
per-transaction basis. To route information to the processing 
hub 103, these methods employ the debit network 107 used 
by banking institutions. The retailer in method A (retailer A) 
has a central processor which controls each of its POS 
devices 105 and connects them to a processor 208 at a bank 45 
chosen by the retailer. Retailer B's POS device 105 connects 
directly to the bank processor 208. Otherwise, the two 
methods are the same. 

Banking regulations currently require that any transaction 
taking place over the debit network 107 must result in an 50 
actual transfer of funds. Since this phone card activation 
transaction is not a typical debit transaction, it is presently 
desirable to keep the official amount of the transaction to a 
minimum, yet still comply with the banking regulations. 
Therefore, regardless of the actual sale amount, the clerk 55 
enters a nominal transaction amount. In a preferred 
embodiment, the nominal transaction amount is keyed to the 
actual transaction amount (e.g., $0.01 nominal=$10.00 
actual, $0.02 nominal=$20.00 actual, etc.). Therefore, the 
actual transaction amount can be ascertained from the nomi- 60 
nal amount. In this embodiment, the card could only be 
activated or recharged in predefined increments. If the card 
is to have a fixed value, the activation amount could also be 
encoded on the magnetic strip 106 of the card 101 as part of 
the card's identification number. 65 

In an alternate embodiment, the card could be activated or 
recharged in any amount desired by the customer. In this 



case, the nominal transaction amount would be a fixed value, 
such as $0.01. Once the nominal transaction amount is 
entered, the actual sale amount could then be entered on the 
PIN pad of the POS device 105 instead of the personal 
identification number (PIN) that would normally be entered 
when using a debit card. By entering the actual sale amount 
in this manner, it can be any desired amount. 

In either case, before it transmits the data, the POS device 
105 encrypts the information to be sent. This information 
includes the identification number read from the card's 
magnetic strip 106, the nominal transaction amount, and the 
actual sale amount if it was entered into the PIN pad. The 
system 108 contains software which will decrypt and trans- 
late the data upon receipt. Once the encryption has taken 
place, the POS device 105 transmits the data either directly 
or via the central processor 201 to the bank processor 208. 
The bank processor 208 receives the data and transmits it 
over the debit network 107. The debit network 107 then 
forwards the data to the sponsoring bank's processor 102. As 
mentioned earlier, the sponsoring bank is one which has 
agreed to operate as a link between the debit network 107 
and the processing hub 103. 

As mentioned earlier, banking regulations as they cur- 
rently exist require that transactions taking place over the 
debit network must result in a transfer of funds. Preferably, 
in order to comply with the banking regulations, the spon- 
soring bank transfers the nominal amount (e.g., $0.01) from 
one account belonging to the retailer to another account also 
belonging to the retailer. The bank processor 102 then 
forwards the data from the POS device 105 to the processing 
hub 103. 

In methods C and D, the retailers' central processor 202 
or POS device 105, respectively, again connect to a proces- 
sor 209 at a retailer-chosen bank. By agreement between the 
operator of the multifunction card system 108 and the 
retailer-chosen bank, this bank processor 209 is pro- 
grammed to recognize the multifunction card system's BIN 
and to forward the system's transactions directly to the 
sponsoring bank's processor 102 rather than using the debit 
network 107. Since the debit network 107 is not used, it is 
not necessary to use a nominal sale amount, although such 
a method would nonetheless work and might be preferred by 
the retailer for security and bookkeeping purposes. The 
system 108 could instead be programmed to prompt the 
clerk for the appropriate information. As in methods A and 
B, the sponsor bank processor 102 forwards the necessary 
information to the processing hub 103. Although methods C 
and D are more efficient than methods A and B on a per 
transaction basis, they require some customization at the 
retailer location to cause the retailer to connect to a bank 
processor 209 that recognizes the system's BIN. 

Methods E and F are the least costly methods of connect- 
ing to the processing hub 103 (i.e., directly from the retail- 
er's central processor 203 or from the POS device 105 
itself). The connection may be made via a toll-free telephone 
line, a dedicated phone line, over the Internet, or any other 
standard communication means. Again, however, these 
methods require the most customization at the retailer loca- 
tion to cause the retailer's system to recognize the multi- 
function card system's cards and to route their transactions 
directly to the processing hub 103. Such customization, 
however, still does not require reprogramming of the POS 
devices themselves. The connection method chosen may be 
adjusted to fit the individual retailer's needs. 

Regardless of the method used, the data will eventually 
arrive at the processing hub 103. If the transmission has 
taken place over the debit network 107, the data must be 
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decrypted using equipment well known in the art for 
decrypting debit transaction data. Once the data is received 
and, if necessary, decrypted, the processing hub 103 recog- 
nizes the identification number of the card as being associ- 
ated with a particular prepaid phone card issuer. Next, a 5 
security check is performed to verify that this transaction is 
originating from a retailer that is authorized to sell the 
prepaid phone cards. If the transaction is originating from an 
authorized retailer, the transaction will proceed. The pro- 
cessing hub 103 will then forward the card identification 10 
number, retail store and POS device information, and 
amount information to the issuer hub 104 maintained by the 
prepaid phone card issuer. The issuer hub 104 contains one 
or more phone card databases 204 which store information 
about each phone card. When the issuer hub 104 receives the 15 
data from the processing hub 103, it activates the record in 
the phone card database 204 having the same identification 
number as the card 101. The value field in the record is then 
increased by the appropriate purchased amount. If the card 
is of a fixed value, the record is simply activated. The issuer 20 
hub 104 then returns an authorization number which travels 
back along the same path to the originating POS device 105. 
The customer may then dial the prepaid phone card issuer's 
toll free number, enter the card number and any required 
PIN, and obtain long distance calling time having a value up 25 
to the value of the card stored in the phone card database 
204. 

Each activation or recharge transaction is recorded by the 
system 108. At the end of the day, a report is preferably 
created for each card issuer and retail location so that their 30 
accounts can be reconciled. Transfer of funds between these 
parties may then take place by any commercially acceptable 
means. 

II. Electronic Gift Certificate™ Card 

The multifunction card system 108 of the present inven- 35 
tion is also capable of providing an Electronic Gift Certifi- 
cate™ (EGC) card 101 for a retail issuer. Such a card 101 
could be sold by the retail issuer for making purchases only 
in the retail issuer's stores or for use in a plurality of stores. 
As in the phone card context, the customer would ask the 40 
sales clerk for an Electronic Gift Certificate™ card of the 
desired amount. If the customer already has an Electronic 
Gift Certificate™ card, he or she might ask the clerk to add 
the desired amount to the already existing balance. The clerk 
swipes the card 101 and enters the transaction amount, either 45 
directly or using a nominal amount and/or the PIN pad, 
depending upon whether the debit network 107 is to be used. 
Using one of the methods discussed above, the data then 
makes its way to the processing hub 103. 

Alternatively, the activation could occur by processing the 50 
card 101 as a typical debit card using the debit network 107. 
In such a case, the retail issuer would maintain accounts with 
the sponsor bank. When an activation transaction takes 
place, the bank would transfer the activation amount from a 
general account to an account corresponding to the card. If 55 
the card is to be accepted at a number of retail locations, the 
account corresponding to the card could be opened in the 
name of the card holder if appropriate paperwork is sub- 
mitted to the bank. In this manner, the card could be used at 
any retail location capable of processing debit transactions. 60 
This would allow the card to serve as a prepaid card 
substitute for travelers checks and money orders. Regardless 
of the way in which the card is processed, the transaction 
data eventually makes its way to the processing hub 103. 

Upon receipt of the transaction data, the hub 103 recog- 65 
nizes the card 101 as being an Electronic Gift Certificate™ 
card of the retail issuer and activates or recharges the card 



101 in the appropriate amount in an EGC database 205 
maintained at the processing hub 103. 

Optionally, the Electronic Gift Certificate™ card 101 
could also be recharged using a credit card via an on-line 
connection to the processing hub 103, such as over the 
Internet. 

Once a card 101 has been activated or recharged, the 
recipient of the card 101 is allowed to make purchases using 
the card. If the card is only for use in the retail issuer's 
stores, the purchase transaction might proceed in much the 
same manner as the activation process. The clerk would 
swipe the card 101 and enter the purchase amount. If the 
transaction is to be transmitted over the debit network, a 
nominal transaction amount may be used, and the actual 
amount entered instead of the PIN. A special code is used to 
indicate that the transaction is a purchase transaction rather 
than an activation or recharge transaction. If the debit 
network is used, the code could be the first digit of the PIN, 
followed by the purchase amount, thus allowing the soft- 
ware of the system 108 to recognize the type of transaction 
and decrypt the data accordingly. 

Upon receipt of the data via one of the methods described 
above, the processing hub 103 compares the purchase 
amount to the balance for the card in the EGC database 205. 
If the balance is greater than the purchase amount, the 
processing hub 103 will decrement the record in the data- 
base and will send back an approval code which will allow 
the transaction to proceed. If a sufficient balance is not 
present, the processing hub 103 will notify the POS device 
105 that the transaction may not proceed. Preferably, an 
automated toll free number is provided for the holder of the 
card 101 to verify the remaining balance. The processing 
hub 103 preferably maintains records of all transactions. 

If the card 101 is for use in many retail locations, it would 
instead be processed during purchase transactions as a 
typical debit card, preferably using the debit network 107. In 
this case, either the retail issuer or the cardholder must have 
an account with the sponsor bank. When a purchase trans- 
action takes place, the clerk or cardholder simply swipes the 
card and receives back a response in the same manner as a 
normal debit transaction. If sufficient funds are present in the 
account corresponding to the card, the transaction will be 
approved. The sponsor bank then transfers the purchase 
amount from the retail issuer's or cardholder's account to an 
account belonging to the retail location at which the pur- 
chase occurred, which account may or may not be located at 
the sponsor bank. The transaction data is then forwarded to 
the processing hub 103 so that the EGC database 205 can be 
updated. 

In a preferred embodiment, an Electronic Gift Certifi- 
cate™ card could also be used to obtain long distance calling 
time in addition to making purchases in the retail issuer's 
store. The retail issuer could contract with a prepaid phone 
card issuer to provide the calling time. When the card 101 is 
activated, the phone card issuer simultaneously creates an 
entry in its phone card database 204 corresponding to the 
entry in the EGC database 205. The card 101 can then be 
used in exactly the same manner as the prepaid phone card 
discussed above. In order to prevent the use of the Electronic 
Gift Certificate™ card simultaneously to make purchases 
and to obtain long distance calling time, a safety procedure 
is provided. When the card 101 is used to make a long 
distance call, the phone card issuer hub 104 instructs the 
processing hub 103 to seize the record corresponding to the 
card 101 in the EGC database 205. With the record seized, 
the system 108 will not authorize any purchasing activity for 
the duration of the call. When the call terminates, the phone 
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card issuer hub 104 decrements the appropriate record in its 
phone card database 204 and instructs the processing hub 
103 to do the same in the EGC database 205. The record in 
the EGC database 205 is then unseized. When the card 101 
is used to make a purchase, the processing hub 103 similarly 
instructs the phone card issuer hub 104 to seize the appro- 
priate record in the phone card database 204 for the duration 
of the transaction. When the transaction is over, the records 
in the EGC database 205 and the phone card database 204 
are decremented appropriately. 

In the preferred embodiment of the invention, the retail 
issuer is also given the capability to award loyalty points to 
the bearer of the Electronic Gift Certificate™ card in rec- 
ognition of purchases or recharges made. In such a case, the 
processing hub 103 maintains a separate loyalty card data- 
base 206. When the Electronic Gift Certificate™ card bearer 
adds money to the card 101, or makes a purchase using the 
card 101, the system 108 may add a number of points 
proportional to the purchase price to the card's record in the 
loyalty card database 206. Alternatively points could be 
awarded based upon the frequency of card usage rather than 
purchase amounts. In either case, when the card bearer 
reaches certain predefined point plateaus, he or she may be 
rewarded by the retail issuer with additional card value or 
with long-distance calling time. 
III. Loyalty Card 

Not unlike the loyalty feature add-on of the Electronic 
Gift Certificate™ card, the system 108 of the present inven- 
tion may provide a separate loyalty card much like a 
frequent flier card that can have points added at virtually any 
POS device 105. 

A. Product/Manufacturer-Specific Loyalty Card 

The card could be issued by a certain manufacturer to 
reward a customer with loyalty points for purchasing the 
manufacturer's product, regardless of the retail location of 
the purchase. This reward could be tied to the purchase of a 
single product type or to all of the manufacturer's products. 
The loyalty points awarded could be varied based upon any 
promotional campaigns being conducted by the manufac- 
turer. Points are added to the card at participating retail 
locations which sell the manufacturer's produces). The card 
101 is swiped at any retail location, the purchase amount for 
the manufacturer's product is entered using the PIN pad of 
the POS device 105, and the data is transmitted to the 
processing hub 103 using one of the methods described 
above. After receiving the data, the processing hub 103 
credits the appropriate record in the loyalty card database 
206 with a number of points proportional to the purchase 
price. The card is transportable to any participating retailer. 
The system 108 allows the manufacturer to connect to the 
processing hub 103 via an on-line connection to access the 
loyalty card database 206. Again, the customer could be 
rewarded when certain point plateaus are reached. 

B. Retailer-Specific Loyalty Card 

Alternatively, the card could be issued by a particular 
retailer to reward customers for purchases made in the 
retailer's location(s). The retailer could award points for any 
purchase within the store, or could target special promo- 
tional items. The card would function in a manner similar to 
the product-specific card. Once again, the customer is 
rewarded when certain point plateaus are reached. 

Alternatively, the loyalty data could be used to simulta- 
neously credit other databases of the system 108. For 
instance, instead of awarding loyalty points, the system 
could add value in real time to a record in the phone database 
204 at the prepaid phone card issuer hub 104, thus rewarding 
the customer with free phone time. Loyalty points might also 
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be converted into a dollar value for use at the retail location. 
Optionally, the system 108 can keep records of a consumer's 
purchasing habits for marketing purposes. As with the 
manufacturer-specific card, the system 108 allows the 
5 retailer to connect to the processing hub 103 via an on-line 
connection to access the loyalty card database 206. 

IV. Information Retrieval Card 

Finally, the multifunction card system 108 of the present 
invention is capable of providing an information retrieval 
card. In an exemplary embodiment, a medical information 

10 card which allows access and retrieval of a patient's com- 
plete medical history from a multitude of remote locations is 
provided. Each participating patient's medical information 
is stored in a record in a medical information database 207 
maintained at the processing hub 103. The record contains 

15 the identification number encoded on the patient's card 101. 
When medical history information data is needed, it may 
be requested by swiping the card 101 through a POS device 
105 at a participating doctor's office or hospital. Preferably, 
a PIN is entered into the POS device 105 to ensure that only 

20 an authorized person is able to request the information. The 
POS device 105 would then send the request to the process- 
ing hub 103 via one of the routes described above. When the 
processing hub 103 receives the request from the authorized 
requester, it then immediately sends the information to the 

25 requestor via means preselected by the participating doctor's 
office or hospital. Such means may include electronic mail, 
facsimile, voice response, and other similar means. The 
medical history information may be updated by the patient 
or his or her doctor or insurer by forwarding new informa- 

30 tion to the operator of the system 108 via an on-line 
connection, over the Internet, by telephone, by facsimile, or 
by mail. 

As a backup, the request could instead be made using a 
computer, wherein the computer connects to the processing 

35 hub 103 via the Internet or by direct modem connection. The 
requestor might be allowed to view, print, or download the 
appropriate medical history information. Alternatively, the 
request could be made by facsimile or by calling an auto- 
mated toll free number and entering the card number. 

40 In order to allow a cardholder to keep track of medical 
savings accounts or various other means for paying for 
medical services (e.g., Medicare), the system 108 also 
allows access to a database which maintains the medical 
funds for the cardholder. As described above under the 

45 Electronic Gift Certificate™ section, the system 108 is able 
to authorize, reject, and cause money to be transferred based 
upon the cardholder's available medical funds. 

V. Intelligent Card™ 

In the preferred embodiment of the invention, the multi- 

50 function card system 108 is capable of providing a single 
card 101 which is capable of performing all of the foregoing 
functions. Preferably, the system 108 also allows for the card 
101 to be used as an on-line debit card after the cardholder 
registers with the system. In order to let the system 108 

55 know which function or functions the card 101 is serving in 
any particular transaction, a code is entered into the PIN pad 
of the POS device from which the transaction is originating. 
Alternatively, the system 108 could prompt the user to 
indicate the proper card function and the databases that must 

60 be accessed. Based upon this input, the system 108 carries 
out the appropriate actions. The system 108 can access each 
of the databases discussed above and can simultaneously 
increase or decrease each database as needed by the type of 
transaction occurring. 

65 VI. Processing Hub Technical Details 

The processing hub 103 of the present invention provides 
front-end POS device management and message processing 
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for card authorization and activations. The processing hub 
103 can be implemented using any computer having accept- 
able processing and storage capacity. It preferably comprises 
a Stratus RADIO Cluster™, which is a scaleable system 
based upon the standard Intel Pentium processor. The Stratus 5 
RADIO Cluster™ provides the processing hub 103 with a 
high degree of reliability and fault- tolerance. Since the 
Stratus system is scaleable, an adequate degree of redun- 
dancy can be provided in order to reduce the impact of 
individual failures. In addition, as demand for the multi- 1Q 
function card system increases, the processing hub 103 can 
be scaled to meet increasing demands for processing power 
and storage availability. The modular design of such a hub 
is upgradable for long term capacity planning and expan- 
sion. 15 

The software of the system is preferably written in the C, 
Force, and Foxpro programming languages. The C language 
programs are preferably written to interface with specialty 
external interface boards. Force is preferably used for all 
on-line transaction processing, while Foxpro preferably pro- ^ 
vides for database management and the user interface. Since 
Force and Foxpro share database file structures, on-line 
transactions may be viewed by the system operators using 
the Foxpro interface. 

In order to provide further reliability, all applications and ^ 
data are replicated and synchronized across the processing 
hub 103 by bis Reliable software. Load distribution among 
the modules is automatically controlled by the software to 
improve the response time and throughput. External com- 
munications nodes provide the necessary interface require- ^ 
ments of physical connectivity, protocol, message 
transmission, message validation, and message processing. 

While the multifunction card system herein described 
constitutes the preferred embodiment of the present 
invention, it is to be understood that the invention is not ^ 
limited to this precise form of system, and that changes may 
be made therein without departing from the scope of the 
invention which is defined in the following claims. 

I claim: 

1. A multifunction card system, comprising: 4Q 

a. at least one electronic gift certificate card having a 
unique identification number encoded on it, said iden- 
tification number comprising a bank identification 
number approved by the American Banking Associa- 
tion for use in a banking network, said identification 45 
number corresponding to the multifunction card sys- 
tem; 

b. means for receiving electronic gift certificate card 
activation data from an unmodified existing standard 
retail point-of-sale device when said electronic gift 50 
certificate card is swiped through the point-of-sale 
device, said electronic gift certificate card activation 
data comprising the unique identification number of the 
electronic gift certificate card and an electronic gift 
certificate activation amount; 55 

c. means for activating an account corresponding to the 
electronic gift certificate card with a balance equal to 
the electronic gift certificate activation amount; 

d. means for allowing a user of the electronic gift certifi- 
cate card to purchase goods and services having a value 60 
up to the balance of the account corresponding to the 
electronic gift certificate card; and 

e. means for decreasing the balance of the account cor- 
responding to the electronic gift certificate card by the 
value of the goods and services purchased. 65 

2. A multifunction card system as recited in claim 1, 
further comprising: 



12 

a. means for receiving electronic gift certificate card 
recharge data from an existing standard retail point-of- 
sale device when said electronic gift certificate card is 
swiped through the point-of-sale device, said electronic 
gift certificate card recharge data comprising the unique 
identification number of the electronic gift certificate 
card and an electronic gift certificate recharge amount; 
and 

b. means for increasing the balance of the account cor- 
responding to the electronic gift certificate card by the 
electronic gift certificate recharge amount. 

3. A multifunction card system as recited in claim 1, 
wherein the first digit of said bank identification number is 
selected from the group consisting of four and five. 

4. A multifunction card system as recited in claim 1, 
further comprising means for allowing a user of the elec- 
tronic gift certificate card to obtain long distance telephone 
calling time, wherein the total of the value of the goods and 
services purchased and the long distance telephone calling 
time obtained cannot exceed the balance of the account 
corresponding to the electronic gift certificate card. 

5. A multifunction card system as recited in claim 4, 
wherein said means for receiving electronic gift certificate 
activation data from an existing standard retail point-of-sale 
device when said electronic gift certificate card is swiped 
through the point-of-sale device employs the banking net- 
work. 

6. A multifunction card system as recited in claim 4, 
further comprising means for associating loyalty data with 
the electronic gift certificate card based upon usage of the 
electronic gift certificate card. 

7. A multifunction card system as recited in claim 1, 
further comprising means for associating loyalty data with 
the electronic gift certificate card based upon usage of the 
electronic gift certificate card. 

8. A multifunction card system as recited in claim 1, 
wherein said means for receiving electronic gift certificate 
activation data from an existing standard retail point-of-sale 
device when said electronic gift certificate card is swiped 
through the point-of-sale device employs the banking net- 
work. 

9. A multifunction card system as recited in claim 1, 
further comprising: 

a. at least one phone card having a unique identification 
number encoded on it, said identification number com- 
prising a bank identification number approved by the 
American Banking Association for use in a banking 
network, said identification number corresponding to 
the multifunction card system; 

b. means for receiving phone card activation data from an 
unmodified existing standard retail point-of-sale device 
when said phone card is swiped through the point-of- 
sale device, said phone card activation data comprising 
the unique identification number of the phone card and 
a phone card activation amount; 

c. means for activating an account corresponding to the 
phone card with a balance equal to the phone card 
activation amount; 

d. means for allowing a user of the phone card to obtain 
long distance telephone calling time having a value up 
to the balance of the account corresponding to the 
phone card; and 

e. means for decreasing the balance of the account cor- 
responding to the phone card by the value of the long 
distance telephone calling time obtained. 

10. A multifunction card system as recited in claim 9, 
further comprising: 
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a. means for receiving phone card recharge data from an 
existing standard retail point-of-sale device when said 
phone card is swiped through the point-of-sale device, 
said phone card recharge data comprising the unique 
identification number of the phone card and a phone s 
card recharge amount; and 

b. means for increasing the balance of the account cor- 
responding to the phone card by the phone card 
recharge amount. 

11. A multifunction card system as recited in claim 9, 10 
wherein a single card with a single identification number can 
function as an electronic gift certificate card and as a phone 
card. 

12. A multifunction card system as recited in claim 1, 
further comprising: 15 

a. at least one loyalty card having a unique identification 
number encoded on it, said identification number com- 
prising a bank identification number approved by the 
American Banking Association for use in a banking 
network, said identification number corresponding to 20 
the multifunction card system; 

b. means for receiving loyalty data from an existing 
standard retail point-of-sale device when said loyalty 
card is swiped through the point-of-sale device, said 
loyalty data comprising the unique identification num- 25 
ber of the loyalty card and purchase data; and 

c. means for crediting an account corresponding to the 
loyalty card with loyalty points based upon the pur- 
chase data. 

13. A multifunction card system as recited in claim 12, 
wherein a single card with a single identification number can 
function as an electronic gift certificate card and as a loyalty 
card. 

14. A multifunction card system as recited in claim 1, 
further comprising: 

a. at least one medical information card having a unique 
identification number associated with it, said medical 
information card belonging to a patient; 

b. a database comprising at least one record correspond- 4Q 
ing to said medical information card, said record con- 
taining medical history information about the patient; 
and 

c. means for allowing an authorized requester to obtain 
the medical history information about the patient using 45 
the unique identification number associated with the 
medical information card. 

15. A multifunction card system as recited in claim 14, 
wherein a single card with a single identification number can 
function as an electronic gift certificate card and as a medical 50 
information card. 

16. A prepaid phone card system, comprising: 

a. at least one phone card having a unique identification 
number encoded on it, said identification number com- 
prising a bank identification number approved by the 5S 
American Banking Association for use in a banking 
network, said identification number corresponding to 
the prepaid phone card system; 

b. means for receiving phone card activation data from an 
unmodified existing standard retail point-of-sale device 60 
when said phone card is swiped through the point-of- 
sale device, said phone card activation data comprising 
the unique identification number of the phone card and 

a phone card activation amount; 

c. means for activating an account corresponding to the 65 
phone card with a balance equal to the phone card 
activation amount; 
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d. means for allowing a user of the phone card to obtain 
long distance telephone calling time having a value up 
to the balance of the account corresponding to the 
phone card; and 

e. means for decreasing the balance of the account cor- 
responding to the phone card by the value of the long 
distance telephone calling time obtained. 

17. A prepaid card system as recited in claim 16, further 
comprising: 

a. means for receiving phone card recharge data from an 
existing standard retail point-of-sale device when said 
phone card is swiped through the point-of-sale device, 
said phone card recharge data comprising the unique 
identification number of the phone card and a phone 
card recharge amount; and 

b. means for increasing the balance of the account cor- 
responding to the phone card by the phone card 
recharge amount. 

18. A prepaid phone card system as recited in claim 16, 
wherein the first digit of said bank identification number is 
selected from group of numbers consisting of the numbers 
four and five. 

19. Aprepaid card system as recited in claim 16, wherein 
said means for receiving phone card activation data from an 
existing standard retail point-of-sale device when said phone 
card is swiped through the point-of-sale device employs the 
banking network. 

20. A loyalty card system, comprising: 

a. at least one loyalty card having a unique identification 
number encoded on it, said identification number com- 
prising a bank identification number approved by the 
American Banking Association for use in a banking 
network, said identification number corresponding to 
the loyalty card system; 

b. means for receiving loyalty data from an unmodified 
existing standard retail point-of-sale device when said 
loyalty card is swiped through the point-of-sale device, 
said loyalty data comprising the unique identification 
number of the card and purchase data; and 

c. means for crediting an account corresponding to the 
loyalty card with loyalty points based upon the pur- 
chase data. 

21. A loyalty card system as recited in claim 20, wherein 
the first digit of said bank identification number is selected 
from a group of numbers consisting of the numbers four and 
five. 

22. A loyalty card system as recited in claim 20, wherein 
said means for receiving loyalty data from an existing 
standard retail point-of-sale device when said loyalty card is 
swiped through the point-of-sale device employs the bank- 
ing network. 

23. A method of activating or recharging a prepaid card 
having a unique identification number encoded on it, the 
identification number comprising a bank identification num- 
ber approved by the American Banking Association for use 
in a banking network, said identification number corre- 
sponding to a prepaid card system, comprising the steps of: 

a. swiping the card through an unmodified existing stan- 
dard retail point-of-sale device; 

b. entering an amount into the point-of-sale device; 

c. transmitting the identification number and the amount 
from the point-of-sale device to a processing hub; 

d. crediting an account balance in a database with the 
amount; 

e. allowing a user of the card to purchase goods and 
services using the card; and 
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f. allowing a user of the card to obtain long distance 
telephone calling time using the card; 

g. wherein the total of the value of the goods and services 
purchased and the long distance telephone calling time 
obtained using the card cannot exceed the account 
balance. 

24. A method according to claim 23, further comprising 
the step of associating loyalty data with the card based upon 
usage of the card. 

25. A method according to claim 24, further comprising 
the step of transferring loyalty data to a phone card issuer. 

26. A method according to claim 23, wherein said step of 
transmitting the identification number and the amount from 
the point-of-sale device to a processing hub is carried out at 
least in part via the banking network. 

27. A method of activating or recharging a prepaid phone 
card having a unique identification number encoded on it, 
the identification number comprising a bank identification 
number approved by the American Banking Association for 
use in a banking network, said identification number corre- 
sponding to a prepaid phone card system, comprising the 
steps of: 

a. swiping the phone card through an unmodified existing 
standard retail point-of-sale device; 

b. entering an amount into the point-of-sale device; 

c. transmitting the identification number and the amount 
from the point-of-sale device to a processing hub; 

d. transmitting the identification number and the amount 
from the processing hub to a prepaid phone card issuer 30 
hub; 

e. crediting an account balance in a phone card database 
with the amount; and 

f . allowing a user of the phone card to obtain long distance 
telephone calling time having a value up to the account 
balance. 

28. A method according to claim 27, wherein said step of 
transmitting the identification number and the amount from 
the point-of-sale device to a processing hub is carried out at 
least in part via the banking network. 

29. A method of adding points to a loyalty card having a 
unique identification number encoded on it, the identifica- 
tion number comprising a bank identification number 
approved by the American Banking Association for use in a 
banking network, said identification number corresponding 
to a loyalty card system, comprising the steps of: 

a. swiping the loyalty card through an unmodified existing 
standard retail point-of-sale device; 

b. entering purchase data into the point-of-sale device; 

c. transmitting the identification number and the purchase 
data from the point-of sale device to a processing hub; 
and 

d. crediting an account in a database with loyalty points 
based upon the purchase data. 

30. A method according to claim 29, wherein said step of 
transmitting the identification number and the purchase 
amount from the point-of-sale device to a processing hub is 
carried out at least in part via the banking network. 

31. A method according to claim 29, further comprising 60 
the step of allowing the owner of the loyalty card to redeem 
loyalty points for an item selected from the group consisting 

of goods, services, discounts on goods and services, long 
distance telephone calling time value, and money value. 

32. A multifunction card system comprising: 
a. at least one debit/medical services card having a unique 

identification number encoded on it comprising a bank 
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identification number approved by the American Bank- 
ing Association for use in a banking network; 

b. a transaction processor receiving card data from an 
unmodified existing standard point-of-sale device, said 
card data including a unique identification number; 

c. a processing hub receiving directly or indirectly said 
card data from said transaction processor; and 

d. said processing hub accessing a first database when the 
card functions as a debit card and said processing hub 
accessing a second database when the card functions as 
a medical card. 

33. The multifunction card system of claim 32, wherein 
the unique identification number further comprises a medi- 
cal identification number. 

34. A system comprising: 

a. at least one electronic gift certificate card having an 
electronic gift certificate card unique identification 
number encoded on it, said electronic gift certificate 
card unique identification number comprising a bank 
identification number approved by the American Bank- 
ing Association for use in a banking network; 

b. a transaction processor receiving electronic gift card 
activation data from an unmodified existing standard 
retail point-of-sale device, said electronic gift certifi- 
cate card activation data including said unique identi- 
fication number and an electronic gift certificate card 
activation amount; 

c. a processing hub receiving directly or indirectly said 
activation data from said transaction processor; and 

d. said processing hub activating an account correspond- 
ing to the electronic gift certificate card unique identi- 
fication number with a balance corresponding to the 
electronic gift certificate activation amount. 

35. The system of claim 34, wherein the electronic gift 
certificate card activation amount is encoded in the unique 
identification number. 

36. The system of claim 34, wherein the electronic gift 
certificate card activation amount is entered at the point-of- 
sale device. 

37. The system of claim 34, wherein said processing hub 
allows a user of the electronic gift certificate card to pur- 
chase a value up to the balance corresponding to the elec- 
tronic gift certificate activation amount. 

38. The system of claim 34, wherein: 

a. said transaction processor receives electronic gift cer- 
tificate card recharge data from the existing standard 
retail point-of-sale device, said electronic gift certifi- 
cate card recharge data including said unique identifi- 
cation number and an electronic gift certificate card 
recharge amount; and 

b. said processing hub increasing said amount corre- 
sponding to the electronic gift certificate card unique 
identification number with a balance corresponding to 
the electronic gift certificate card recharge amount. 

39. The system of claim 34, wherein the first digit of the 
bank identification number is selected from a group of 
numbers consisting of the numbers four and five. 

40. The system of claim 34, wherein the processing hub 
allows the use of the electronic gift certificate card to obtain 
phone calling time. 

41. The system of claim 34, further comprising: 

a. a prepaid phone card issuer hub receiving directly or 
indirectly the electronic gift card activation data from 
said processing hub; and 

b. said prepaid phone card issuer hub activating a record 
in a phone card database corresponding to the elec- 
tronic gift certificate card unique identification number. 
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42. The system of claim 41, wherein the prepaid phone 
card issuer hub instructs the processing hub to seize the 
account corresponding to the electronic gift certificate card 
unique identification number where an electronic gift cer- 
tificate card is used to make a call. 

43. The system of claim 41, wherein the processing hub 
instructs the phone card issuer hub to seize the record 
corresponding to the electronic gift certificate card unique 
identification number when the electronic gift certificate 
card is used to make a transaction. 

44. The system of claim 34, wherein the transaction 
processor is coupled to the banking network. 

45. The system of claim 34, wherein the processing hub 
associates loyalty data with the electronic gift certificate 
card based upon the usage of the electronic gift certificate 
card. 

46. The system of claim 34, wherein the activation data 
received at the processing hub is encrypted. 

47. The system of claim 34, wherein the processing hub 
includes a loyalty card database. 

48. The system of claim 34, wherein the processing hub 
includes a medical information card database. 

49. The system of claim 34, wherein the processing hub 
includes an electronic gift certificate card database, a loyalty 
card database, and a medical information database. 

50. A multifunction card system comprising: 

a. at least one electronic gift certificate card having an 
electronic gift certificate card unique identification 
number encoded on it, said electronic gift certificate 
card unique identification number comprising a bank 
identification number approved by the American Bank- 
ing Association for use in a banking network; 

b. a transaction processor receiving electronic gift card 
activation data from an unmodified existing standard 
retail point-of-sale device, said electronic gift certifi- 
cate card activation data including the electronic gift 
certificate card unique identification number and an 
electronic gift certificate card activation amount; 

c. a processing hub receiving directly or indirectly said 
activation data from said transaction processor; and 

d. said processing hub activating an account correspond- 
ing to the electronic gift certificate card unique identi- 
fication number with a balance corresponding to the 
electronic gift certificate activation amount. 

51. The multifunction card system of claim 50, wherein 
the electronic gift certificate card activation amount is 
encoded in the unique identification number. 

52. The multifunction card system of claim 50, wherein 
the electronic gift certificate card activation amount is 
entered at the point-of-sale device. 

53. The multifunction card system of claim 50, further 
comprising: 

a. at least one phone card having a phone card unique 
identification number encoded on it, said phone card 
unique identification number comprising a bank iden- 
tification number approved by the American Banking 
Association for use in a banking network; 

b. said transaction processor receiving phone card acti- 
vation data from said existing standard retail point-of- 
sale device, said phone card activation data including 
said phone card unique identification number and a 
phone card activation amount; 

c. said processing hub receiving directly or indirectly said 
phone card activation data from said transaction pro- 
cessor and recognizing the phone card unique identi- 
fication number of the phone card as being associated 
with a particular prepaid phone card issuer; and 
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d. said processing hub forwarding the phone card activa- 
tion data to a particular prepaid phone card issuer hub. 

54. The multifunction system of claim 53, wherein the 
particular prepaid phone card issuer hub contains at least one 
phone card database which stores information about each 
said phone card and activates the stored information to 
permit debiting of a predetermined value of phone calling in 
response to the activation data. 

55. The multifunction system of claim 50, further com- 
prising: 

a. at least one loyalty card having a loyalty card unique 
identification number encoded on it, said loyalty card 
identification number comprising a bank identification 
number approved by the American Banking Associa- 
tion for use in a banking network; 

b. said transaction processor receiving loyalty card acti- 
vation data from said existing standard retail point-of- 
sale device, said loyalty card activation data including 
said loyalty card unique identification number and 
purchase data; 

c. said processing hub receiving directly or indirectly said 
phone card activation data from said transaction pro- 
cessor; and 

d. said processing hub crediting an account corresponding 
to the loyalty card with loyalty points based upon the 
purchase data. 

56. The multifunction system of claim 50, further com- 
prising: 

a. at least one medical information card having a medical 
card unique identification number associated with it, 
said medical information belonging to a patient; and 

b. said processing hub including at least one record 
corresponding to said medical information card, said 
record containing medical history information about 
the patient. 

57. A multifunction card system comprising: 

a. at least one card having a unique identification number 
encoded on it, said identification number comprising a 
bank identification number approved by the American 
Banking Association for use in a banking network; 

b. a transaction processor receiving card activation data 
from an unmodified existing standard retail point-of- 
sale device, said card activation data including said 
unique identification number; 

c. a processing hub receiving directly or indirectly said 
activation data from said transaction processor; and 

d. said processing hub activating an account correspond- 
ing to the unique identification number, thereby per- 
mitting later access to said account. 

58. The multifunction card system of claim 57, wherein 
said card is selected from the group consisting of an elec- 
tronic gift certificate card, a phone card, a loyalty card, and 
a medical information card. 

59. The multifunction card system of claim 57, wherein 
said card performs the functions of an electronic gift cer- 
tificate card, a phone card, a loyalty card, and a medical 
information card. 

60. A method of activating a prepaid card having a unique 
identification number encoded on it, the identification num- 
ber comprising a bank identification number approved by 
the American Banking Association for use in a banking 
network, the method comprising the steps of: 

a. swiping the card through an unmodified existing stan- 
dard point-of-sale device; 

b. transmitting the identification number and an activation 
amount from the point-of-sale device to a processing 
hub; and 
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c. activating an account in the processing hub correspond- 
ing to the identification number. 

61. The method of claim 60, further comprising: 

a. transmitting the identification number and a recharge 
amount from the point-of-sale device to a processing 
hub; and 

b, recharging the account in the processing hub corre- 
sponding to the identification number. 

62. The method of claim 60, further comprising entering 
the activation amount into the point-of-sale device. 

63. The method of claim 60, wherein the step of trans- 
mitting the identification number and the activation amount 
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from the point-of-sale device is carried out at least in part 
over the banking network. 

64. The method of claim 60, further comprising allowing 
a user of the card to obtain calling time using the card. 

65. The method of claim 60, further comprising allowing 
a user of the card to purchase goods and services using the 
card. 

66. The method of claim 60, further comprising associ- 
3 ating loyalty data with the card based upon usage of the card. 

***** 
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